Skip to content

#12423 Fix web.http not parsing multiple files in multipart form-data#12424

Merged
adiroiban merged 1 commit intotwisted:trunkfrom
cas--:12423-fix-web-http-multipart-files
Feb 5, 2025
Merged

#12423 Fix web.http not parsing multiple files in multipart form-data#12424
adiroiban merged 1 commit intotwisted:trunkfrom
cas--:12423-fix-web-http-multipart-files

Conversation

@cas--
Copy link
Contributor

@cas-- cas-- commented Feb 3, 2025
edited
Loading

Scope and purpose

Fixes #12423

Fixes a regression in twisted.web.http due to replacement of cgi.parse_multipart in commit 4579398 resulted in multipart/form-data requests with multiple files and same name parameter would be parsed to contain only a single file.

@codspeed-hq
Copy link

codspeed-hq bot commented Feb 3, 2025
edited
Loading

CodSpeed Performance Report

Merging #12424 will not alter performance

Comparing cas--:12423-fix-web-http-multipart-files (230dc05) with trunk (6baa16d)

Summary

✅ 34 untouched benchmarks

@cas-- cas-- force-pushed the 12423-fix-web-http-multipart-files branch from 20f6fbb to f7e1830 Compare February 3, 2025 13:04
@cas-- cas-- changed the title Fix web.http not parsing multiple files in multipart form-data #12423 Fix web.http not parsing multiple files in multipart form-data Feb 3, 2025
@cas-- cas-- marked this pull request as ready for review February 3, 2025 20:59
@chevah-robot chevah-robot requested a review from a team February 3, 2025 20:59
adiroiban
adiroiban requested changes Feb 4, 2025
View reviewed changes
Copy link
Member

@adiroiban adiroiban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many thanks for the PR.

It looks very good.

Only a few minor comments regarding the release notes and the test.

Thanks again!

@cas-- cas-- force-pushed the 12423-fix-web-http-multipart-files branch from f7e1830 to d42720a Compare February 4, 2025 18:22
@cas--
Fix twisted.web.http parsing multiple files with same 'name' param
230dc05 
According to rfc7578:

    To match widely deployed implementations, multiple files MUST be sent
    by supplying each file in a separate part but all with the same
    "name" parameter.
@cas-- cas-- force-pushed the 12423-fix-web-http-multipart-files branch from d42720a to 230dc05 Compare February 4, 2025 18:27
@cas-- cas-- requested a review from adiroiban February 4, 2025 18:30
adiroiban
adiroiban approved these changes Feb 5, 2025
View reviewed changes
Copy link
Member

@adiroiban adiroiban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. It looks good.

Note that this functionality of Twisted raises a lot of security concerns

See #4688 (comment)

Also, the actual file names are not recorderd ... there is a separate ticket for that #12358

Thanks again for this PR

@adiroiban adiroiban merged commit 68a6209 into twisted:trunk Feb 5, 2025
28 checks passed
@cas-- cas-- deleted the 12423-fix-web-http-multipart-files branch February 6, 2025 11:09
@Gauvino Gauvino mentioned this pull request Feb 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adiroiban adiroiban adiroiban approved these changes

Assignees

No one assigned

Labels

needs-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Regression handling multiple files in multipart/form-data with same name

3 participants

@cas-- @adiroiban @chevah-robot