1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From: Marcel Hellkamp <marc@gsites.de>
Subject: JSON content-type not restrictive enough, https://github.com/defnull/bottle/issues/616
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746322
Origin: vendor
Forwarded: no
diff --git a/bottle.py b/bottle.py
index 9c90553..3f4f0de 100644
--- a/bottle.py
+++ b/bottle.py
@@ -985,7 +985,8 @@
property holds the parsed content of the request body. Only requests
smaller than :attr:`MEMFILE_MAX` are processed to avoid memory
exhaustion. '''
- if 'application/json' in self.environ.get('CONTENT_TYPE', '') \
+ ctype = self.environ.get('CONTENT_TYPE', '').lower().split(';')[0]
+ if ctype == 'application/json' \
and 0 < self.content_length < self.MEMFILE_MAX:
return json_loads(self.body.read(self.MEMFILE_MAX))
return None
diff --git a/test/test_environ.py b/test/test_environ.py
index 517048d..b693e83 100755
--- a/test/test_environ.py
+++ b/test/test_environ.py
@@ -385,6 +385,15 @@ class TestRequest(unittest.TestCase):
e['CONTENT_LENGTH'] = str(len(json_dumps(test)))
self.assertEqual(BaseRequest(e).json, test)
+ def test_json_forged_header_issue616(self):
+ test = dict(a=5, b='test', c=[1,2,3])
+ e = {'CONTENT_TYPE': 'text/plain;application/json'}
+ wsgiref.util.setup_testing_defaults(e)
+ e['wsgi.input'].write(tob(json_dumps(test)))
+ e['wsgi.input'].seek(0)
+ e['CONTENT_LENGTH'] = str(len(json_dumps(test)))
+ self.assertEqual(BaseRequest(e).json, None)
+
def test_isajax(self):
e = {}
wsgiref.util.setup_testing_defaults(e)
|
