Merge branch 'master' into empty_message

Kludex · web-flow · commit 4df7cf3570ee · 2024-12-06T08:17:03.000+01:00
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -20,7 +20,7 @@ jobs:
           git config user.email 41898282+github-actions[bot]@users.noreply.github.com
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v3
+        uses: astral-sh/setup-uv@v4
         with:
           version: "0.4.12"
           enable-cache: true
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v3
+        uses: astral-sh/setup-uv@v4
         with:
           version: "0.4.12"
           enable-cache: true
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v3
+        uses: astral-sh/setup-uv@v4
         with:
           version: "0.4.12"
           enable-cache: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.0.19 (2024-11-30)
+
+* Don't warn when CRLF is found after last boundary on `MultipartParser` [#193](https://github.com/Kludex/python-multipart/pull/193).
+
+## 0.0.18 (2024-11-28)
+
+* Hard break if found data after last boundary on `MultipartParser` [#189](https://github.com/Kludex/python-multipart/pull/189).
+
 ## 0.0.17 (2024-10-31)
 
 * Handle PermissionError in fallback code for old import name [#182](https://github.com/Kludex/python-multipart/pull/182).
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,11 @@
+# Security Policy
+
+If you think you have identified a security issue with `python-multipart`, **do not open a public issue**.
+
+To responsibly report a security issue, please navigate to the Security tab for the repo and click "Report a vulnerability."
+
+![Screenshot of repo security tab showing "Report a vulnerability" button](https://github.com/encode/.github/raw/master/img/github-demos-private-vulnerability-reporting.png)
+
+Be sure to include as much detail as necessary in your report. As with reporting normal issues, a minimal reproducible example will help the maintainers address the issue faster.
+
+Thank you.
diff --git a/docs/index.md b/docs/index.md
@@ -16,10 +16,10 @@ def simple_app(environ, start_response):
 
     # The following two callbacks just append the name to the return value.
     def on_field(field):
-        ret.append(b"Parsed field named: %s" % (field.field_name,))
+        ret.append(b"Parsed value parameter named: %s" % (field.field_name,))
 
     def on_file(file):
-        ret.append(b"Parsed file named: %s" % (file.field_name,))
+        ret.append(b"Parsed file parameter named: %s" % (file.field_name,))
 
     # Create headers object.  We need to convert from WSGI to the actual
     # name of the header, since this library does not assume that you are
@@ -55,7 +55,7 @@ Date: Sun, 07 Apr 2013 01:40:52 GMT
 Server: WSGIServer/0.1 Python/2.7.3
 Content-type: text/plain
 
-Parsed field named: foo
+Parsed value parameter named: foo
 ```
 
 For a more in-depth example showing how the various parts fit together, check out the next section.
diff --git a/noxfile.py b/noxfile.py
@@ -14,8 +14,12 @@ def rename(session: nox.Session, editable: bool) -> None:
     assert "import python_multipart" not in session.run("python", "-c", "import multipart", silent=True)
 
     assert "import python_multipart" in session.run("python", "-Wdefault", "-c", "import multipart", silent=True)
-    assert "import python_multipart" in session.run("python", "-Wdefault", "-c", "import multipart.exceptions", silent=True)
-    assert "import python_multipart" in session.run("python", "-Wdefault", "-c", "from multipart import exceptions", silent=True)
+    assert "import python_multipart" in session.run(
+        "python", "-Wdefault", "-c", "import multipart.exceptions", silent=True
+    )
+    assert "import python_multipart" in session.run(
+        "python", "-Wdefault", "-c", "from multipart import exceptions", silent=True
+    )
     assert "import python_multipart" in session.run(
         "python", "-Wdefault", "-c", "from multipart.exceptions import FormParserError", silent=True
     )
diff --git a/pyproject.toml b/pyproject.toml
@@ -44,7 +44,7 @@ dev-dependencies = [
     "PyYAML==6.0.1",
     "invoke==2.2.0",
     "pytest-timeout==2.3.1",
-    "ruff==0.3.4",
+    "ruff==0.8.0",
     "mypy",
     "types-PyYAML",
     "atheris==2.3.0; python_version != '3.12'",
@@ -122,4 +122,4 @@ exclude_lines = [
 ]
 
 [tool.check-sdist]
-git-only = ["docs", "fuzz", "scripts", "mkdocs.yml", "uv.lock"]
+git-only = ["docs", "fuzz", "scripts", "mkdocs.yml", "uv.lock", "SECURITY.md"]
diff --git a/python_multipart/__init__.py b/python_multipart/__init__.py
@@ -2,7 +2,7 @@
 __author__ = "Andrew Dunham"
 __license__ = "Apache"
 __copyright__ = "Copyright (c) 2012-2013, Andrew Dunham"
-__version__ = "0.0.17"
+__version__ = "0.0.19"
 
 from .multipart import (
     BaseParser,
diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
@@ -1106,7 +1106,6 @@ def data_callback(name: CallbackName, end_i: int, remaining: bool = False) -> No
                 # Skip leading newlines
                 if c == CR or c == LF:
                     i += 1
-                    self.logger.debug("Skipping leading CR/LF at %d", i)
                     continue
 
                 # index is used as in index into our boundary.  Set to 0.
@@ -1414,9 +1413,14 @@ def data_callback(name: CallbackName, end_i: int, remaining: bool = False) -> No
                     state = MultipartState.END
 
             elif state == MultipartState.END:
-                # Do nothing and just consume a byte in the end state.
-                if c not in (CR, LF):
-                    self.logger.warning("Consuming a byte '0x%x' in the end state", c)  # pragma: no cover
+                # Don't do anything if chunk ends with CRLF.
+                if c == CR and i + 1 < length and data[i + 1] == LF:
+                    i += 2
+                    continue
+                # Skip data after the last boundary.
+                self.logger.warning("Skipping data after last boundary")
+                i = length
+                break
 
             else:  # pragma: no cover (error case)
                 # We got into a strange state somehow!  Just stop processing.
diff --git a/scripts/check b/scripts/check
@@ -6,5 +6,5 @@ SOURCE_FILES="python_multipart multipart tests"
 
 uvx ruff format --check --diff $SOURCE_FILES
 uvx ruff check $SOURCE_FILES
-uvx --with types-PyYAML mypy $SOURCE_FILES
+uv run mypy $SOURCE_FILES
 uvx check-sdist
diff --git a/tests/test_multipart.py b/tests/test_multipart.py
@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import logging
 import os
 import random
 import sys
@@ -9,6 +10,7 @@
 from typing import TYPE_CHECKING, cast
 from unittest.mock import Mock
 
+import pytest
 import yaml
 
 from python_multipart.decoders import Base64Decoder, QuotedPrintableDecoder
@@ -825,7 +827,7 @@ def test_http(self, param: TestParams) -> None:
             return
 
         # No error!
-        self.assertEqual(processed, len(param["test"]))
+        self.assertEqual(processed, len(param["test"]), param["name"])
 
         # Assert that the parser gave us the appropriate fields/files.
         for e in param["result"]["expected"]:
@@ -1210,6 +1212,68 @@ def on_field(f: FieldProtocol) -> None:
         self.assertEqual(fields[2].field_name, b"baz")
         self.assertEqual(fields[2].value, b"asdf")
 
+    def test_multipart_parser_newlines_before_first_boundary(self) -> None:
+        """This test makes sure that the parser does not handle when there is junk data after the last boundary."""
+        num = 5_000_000
+        data = (
+            "\r\n" * num + "--boundary\r\n"
+            'Content-Disposition: form-data; name="file"; filename="filename.txt"\r\n'
+            "Content-Type: text/plain\r\n\r\n"
+            "hello\r\n"
+            "--boundary--"
+        )
+
+        files: list[File] = []
+
+        def on_file(f: FileProtocol) -> None:
+            files.append(cast(File, f))
+
+        f = FormParser("multipart/form-data", on_field=Mock(), on_file=on_file, boundary="boundary")
+        f.write(data.encode("latin-1"))
+
+    def test_multipart_parser_data_after_last_boundary(self) -> None:
+        """This test makes sure that the parser does not handle when there is junk data after the last boundary."""
+        num = 50_000_000
+        data = (
+            "--boundary\r\n"
+            'Content-Disposition: form-data; name="file"; filename="filename.txt"\r\n'
+            "Content-Type: text/plain\r\n\r\n"
+            "hello\r\n"
+            "--boundary--" + "-" * num + "\r\n"
+        )
+
+        files: list[File] = []
+
+        def on_file(f: FileProtocol) -> None:
+            files.append(cast(File, f))
+
+        f = FormParser("multipart/form-data", on_field=Mock(), on_file=on_file, boundary="boundary")
+        f.write(data.encode("latin-1"))
+
+    @pytest.fixture(autouse=True)
+    def inject_fixtures(self, caplog: pytest.LogCaptureFixture) -> None:
+        self._caplog = caplog
+
+    def test_multipart_parser_data_end_with_crlf_without_warnings(self) -> None:
+        """This test makes sure that the parser does not handle when the data ends with a CRLF."""
+        data = (
+            "--boundary\r\n"
+            'Content-Disposition: form-data; name="file"; filename="filename.txt"\r\n'
+            "Content-Type: text/plain\r\n\r\n"
+            "hello\r\n"
+            "--boundary--\r\n"
+        )
+
+        files: list[File] = []
+
+        def on_file(f: FileProtocol) -> None:
+            files.append(cast(File, f))
+
+        f = FormParser("multipart/form-data", on_field=Mock(), on_file=on_file, boundary="boundary")
+        with self._caplog.at_level(logging.WARNING):
+            f.write(data.encode("latin-1"))
+            assert len(self._caplog.records) == 0
+
     def test_max_size_multipart(self) -> None:
         # Load test data.
         test_file = "single_field_single_file.http"
diff --git a/uv.lock b/uv.lock
