multipartparser.Parser does not accept non-canonical bare CR and bare LF
|Reported by:||Jacob Fenwick||Owned by:||nobody|
|Cc:||Leo Soto M.||Triage Stage:||Unreviewed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
According to RFC 2616, Section 3.7.1:
"HTTP applications MUST accept CRLF, bare CR, and bare LF as being representative of a line break in text media received via HTTP."
The Parser object in multipartparser can only parse canonical CRLF because of this line:
As a result, any data coming through the WSGI gateway that does not conform to canonical CRLF but is still considered valid by RFC 2616 be processed incorrectly.
Change History (14)
comment:1 Changed 7 years ago by
|Component:||Core framework → HTTP handling|
|Patch needs improvement:||unset|