diff options
author | Marcel Hellkamp <marc@gsites.de> | 2014-04-25 22:21:58 +0200 |
---|---|---|
committer | Marcel Hellkamp <marc@gsites.de> | 2014-04-25 23:22:03 +0200 |
commit | a3c7b6eba63f41968c78ea61a2dd1bf334cff4b0 (patch) | |
tree | 4aaf485cf93554df24cb62ede5e78fc44f8455bb | |
parent | b7031472bb5f1acfbfb5a12f04fab000f0b521e9 (diff) | |
download | bottle-a3c7b6eba63f41968c78ea61a2dd1bf334cff4b0.tar.gz |
fix #616: Json content-type not restrictive enough
Possible security issue. See https://github.com/defnull/bottle/issues/616 for details.
-rw-r--r-- | bottle.py | 3 | ||||
-rwxr-xr-x | test/test_environ.py | 9 |
2 files changed, 11 insertions, 1 deletions
@@ -1015,7 +1015,8 @@ class BaseRequest(object): property holds the parsed content of the request body. Only requests smaller than :attr:`MEMFILE_MAX` are processed to avoid memory exhaustion. ''' - if 'application/json' in self.environ.get('CONTENT_TYPE', '') \ + ctype = self.environ.get('CONTENT_TYPE', '').lower().split(';')[0] + if ctype == 'application/json' \ and 0 < self.content_length < self.MEMFILE_MAX: return json_loads(self.body.read(self.MEMFILE_MAX)) return None diff --git a/test/test_environ.py b/test/test_environ.py index 930280c..f96c9a6 100755 --- a/test/test_environ.py +++ b/test/test_environ.py @@ -340,6 +340,15 @@ class TestRequest(unittest.TestCase): e['CONTENT_LENGTH'] = str(len(json_dumps(test))) self.assertEqual(BaseRequest(e).json, test) + def test_json_forged_header_issue616(self): + test = dict(a=5, b='test', c=[1,2,3]) + e = {'CONTENT_TYPE': 'text/plain;application/json'} + wsgiref.util.setup_testing_defaults(e) + e['wsgi.input'].write(tob(json_dumps(test))) + e['wsgi.input'].seek(0) + e['CONTENT_LENGTH'] = str(len(json_dumps(test))) + self.assertEqual(BaseRequest(e).json, None) + def test_isajax(self): e = {} wsgiref.util.setup_testing_defaults(e) |