[issue23950] Odd behavior with "file" and "filename" attributes in cgi.FieldStorage
New submission from Rob King: Hello, everyone. I've noticed an issue that could be just a documentation inaccuracy or a genuine, minor bug in cgi.FieldStorage. The documentation for the module states: "You can test for an uploaded file by testing either the filename attribute or the file attribute." However, I've noticed that on a form submission that includes both a file field and a normal form field, *all* of the members of the form have a non-None "file" attribute, while only the actual uploaded file has a non-None "filename" attribute. This would appear to be caused by the cgi module's use of MiniFieldStorage for in some situations, and FieldStorage in others. The FieldStorage class (if I'm reading the code correctly) would appear to always have a non-None "file" attribute but may have a None "filename" attribute. This makes the documentation for the module unclear, as testing for a non-None "file" attribute will always return True in cases of FieldStorage, even if the particular field is not actually a file. I would suggest modifying the documentation to say something like: "You can test for an uploaded file by testing the filename attribute." Please let me know if I'm missing something, that's always also a possibility. :) -- messages: 240942 nosy: deadpixi priority: normal severity: normal status: open title: Odd behavior with "file" and "filename" attributes in cgi.FieldStorage versions: Python 3.4 ___ Python tracker <http://bugs.python.org/issue23950> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23952] Document the 'maxlen' member of the cgi module
Changes by Rob King : -- versions: +Python 2.7, Python 3.2, Python 3.3 ___ Python tracker <http://bugs.python.org/issue23952> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23952] Document the 'maxlen' member of the cgi module
New submission from Rob King: The cgi module has a global variable, 'maxlen', that specifies the maximum length of a POST request. By default, this limit is 0, meaning an unlimited POST request size. Having an unlimited default opens up CGI scripts to resource-exhaustion attacks. Setting the maxlen variable to a nonzero integer solves this problem, but this fix is not in the official documentation - neither the reference manual nor the module's docstring. I would recommend augmenting the module's docstring with the following statement: "The maxlen variable can be set to an integer indicating the maximum size of a POST request. POST requests larger than this size will result in a ValueError being raised during parsing. The default value of this variable is 0, meaning the request size is unlimited." -- messages: 240965 nosy: deadpixi priority: normal severity: normal status: open title: Document the 'maxlen' member of the cgi module versions: Python 3.4, Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue23952> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
