代码拉取完成,页面将自动刷新
CVE-2024-30251-PR-8335-5a6949da-backport-3.9-Add-Content-Dispositio.patch
3.14 KB
starlet_dx
提交于
2024-05-06 09:57
.
Fix CVE-2024-30251
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273
From f21c6f2ca512a026ce7f0f6c6311f62d6a638866 Mon Sep 17 00:00:00 2001
From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
Date: Mon, 15 Apr 2024 21:54:12 +0100
Subject: [PATCH] [PR #8335/5a6949da backport][3.9] Add Content-Disposition
automatically (#8336)
**This is a backport of PR #8335 as merged into master
(5a6949da642d1db6cf414fd0d1f70e54c7b7be14).**
Co-authored-by: Sam Bull <git@sambull.org>
---
CHANGES/8335.bugfix.rst | 1 +
aiohttp/multipart.py | 4 ++++
tests/test_multipart.py | 22 +++++++++++++++++-----
3 files changed, 22 insertions(+), 5 deletions(-)
create mode 100644 CHANGES/8335.bugfix.rst
diff --git a/CHANGES/8335.bugfix.rst b/CHANGES/8335.bugfix.rst
new file mode 100644
index 0000000000..cd93b864a5
--- /dev/null
+++ b/CHANGES/8335.bugfix.rst
@@ -0,0 +1 @@
+Added default Content-Disposition in multipart/form-data responses -- by :user:`Dreamsorcerer`.
diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index fcdf16183c..71fc2654a1 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@@ -852,6 +852,10 @@ def append_payload(self, payload: Payload) -> Payload:
not {CONTENT_ENCODING, CONTENT_LENGTH, CONTENT_TRANSFER_ENCODING}
& payload.headers.keys()
)
+ # Set default Content-Disposition in case user doesn't create one
+ if CONTENT_DISPOSITION not in payload.headers:
+ name = f"section-{len(self._parts)}"
+ payload.set_content_disposition("form-data", name=name)
else:
# compression
encoding = payload.headers.get(CONTENT_ENCODING, "").lower()
diff --git a/tests/test_multipart.py b/tests/test_multipart.py
index 37ac54797f..436b70957f 100644
--- a/tests/test_multipart.py
+++ b/tests/test_multipart.py
@@ -1282,12 +1282,24 @@ def test_append_multipart(self, writer) -> None:
part = writer._parts[0][0]
assert part.headers[CONTENT_TYPE] == "test/passed"
- async def test_set_content_disposition_after_append(self):
+ def test_set_content_disposition_after_append(self):
writer = aiohttp.MultipartWriter("form-data")
- payload = writer.append("some-data")
- payload.set_content_disposition("form-data", name="method")
- assert CONTENT_DISPOSITION in payload.headers
- assert "name=" in payload.headers[CONTENT_DISPOSITION]
+ part = writer.append("some-data")
+ part.set_content_disposition("form-data", name="method")
+ assert 'name="method"' in part.headers[CONTENT_DISPOSITION]
+
+ def test_automatic_content_disposition(self):
+ writer = aiohttp.MultipartWriter("form-data")
+ writer.append_json(())
+ part = payload.StringPayload("foo")
+ part.set_content_disposition("form-data", name="second")
+ writer.append_payload(part)
+ writer.append("foo")
+
+ disps = tuple(p[0].headers[CONTENT_DISPOSITION] for p in writer._parts)
+ assert 'name="section-0"' in disps[0]
+ assert 'name="second"' in disps[1]
+ assert 'name="section-2"' in disps[2]
def test_with(self) -> None:
with aiohttp.MultipartWriter(boundary=":") as writer:
举报
请认真填写举报原因,尽可能描述详细。
请选择举报类型
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化