diff options
| -rw-r--r-- | bottle.py | 12 | ||||
| -rwxr-xr-x | docs/changelog.rst | 1 | ||||
| -rwxr-xr-x | test/test_environ.py | 21 |
3 files changed, 2 insertions, 32 deletions
@@ -103,7 +103,7 @@ else: # 2.x from StringIO import StringIO as BytesIO from ConfigParser import SafeConfigParser as ConfigParser if py25: - msg = "Python 2.5 support may be dropped in future versions of Bottle." + msg = "Python 2.5 support may be dropped in future versions of Bottle." warnings.warn(msg, DeprecationWarning) from UserDict import DictMixin def next(it): return it.next() @@ -999,8 +999,6 @@ class BaseRequest(object): #: Maximum size of memory buffer for :attr:`body` in bytes. MEMFILE_MAX = 102400 - #: Maximum number pr GET or POST parameters per request - MAX_PARAMS = 100 def __init__(self, environ=None): """ Wrap a WSGI environ dictionary. """ @@ -1050,8 +1048,6 @@ class BaseRequest(object): """ Cookies parsed into a :class:`FormsDict`. Signed cookies are NOT decoded. Use :meth:`get_cookie` if you expect signed cookies. """ cookies = SimpleCookie(self.environ.get('HTTP_COOKIE','')).values() - if len(cookies) > self.app.config.get('MAX_PARAMS', self.MAX_PARAMS): - raise HTTPError(413, 'Too many cookies') return FormsDict((c.key, c.value) for c in cookies) def get_cookie(self, key, default=None, secret=None): @@ -1073,8 +1069,6 @@ class BaseRequest(object): :class:`Router`. ''' get = self.environ['bottle.get'] = FormsDict() pairs = _parse_qsl(self.environ.get('QUERY_STRING', '')) - if len(pairs) > self.app.config.get('MAX_PARAMS', self.MAX_PARAMS): - raise HTTPError(413, 'Too many parameters') for key, value in pairs: get[key] = value return get @@ -1174,8 +1168,6 @@ class BaseRequest(object): # is not multipart and take the fast path (also: 3.1 workaround) if not self.content_type.startswith('multipart/'): pairs = _parse_qsl(tonat(self._get_body_string(), 'latin1')) - if len(pairs) > self.app.config.get('MAX_PARAMS', self.MAX_PARAMS): - raise HTTPError(413, 'Too many parameters') for key, value in pairs: post[key] = value return post @@ -1191,8 +1183,6 @@ class BaseRequest(object): args['encoding'] = 'latin1' data = cgi.FieldStorage(**args) data = data.list or [] - if len(data) > self.app.config.get('MAX_PARAMS', self.MAX_PARAMS): - raise HTTPError(413, 'Too many parameters') for item in data: if item.filename: post[item.name] = FileUpload(item.file, item.name, diff --git a/docs/changelog.rst b/docs/changelog.rst index 633c9ca..dd32833 100755 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -16,6 +16,7 @@ Release 0.12 * Support for multi-line code blocks (`<% ... %>`). * The keywords `include` and `rebase` are functions now and can accept variable template names. * The new :meth:`BaseRequest.route` property returns the :class:`Route` that matched the request. +* Removed the ``BaseRequest.MAX_PARAMS`` limit. The hash collision bug in CPythons dict() implementation was fixed over a year ago. If you are still using Python 2.5 in production, consider upgrading or at least make sure that you get security fixed from your distributor. Release 0.11 ============== diff --git a/test/test_environ.py b/test/test_environ.py index 5ad5b03..2bc29e3 100755 --- a/test/test_environ.py +++ b/test/test_environ.py @@ -392,27 +392,6 @@ class TestRequest(unittest.TestCase): del r.environ['HTTP_X_FORWARDED_FOR'] self.assertEqual(r.remote_addr, ips[1]) - def test_maxparam(self): - ips = ['1.2.3.4', '2.3.4.5', '3.4.5.6'] - e = {} - wsgiref.util.setup_testing_defaults(e) - e['wsgi.input'].write(tob('a=a&b=b&c=c')) - e['wsgi.input'].seek(0) - e['CONTENT_LENGTH'] = '11' - e['REQUEST_METHOD'] = "POST" - e['HTTP_COOKIE'] = 'a=1;b=1;c=1;d=1' - e['QUERY_STRING'] = 'a&b&c&d' - old_value = BaseRequest.MAX_PARAMS - r = BaseRequest(e) - try: - BaseRequest.MAX_PARAMS = 2 - self.assertRaises(HTTPError, lambda: r.query) - self.assertRaises(HTTPError, lambda: r.cookies) - self.assertRaises(HTTPError, lambda: r.forms) - self.assertRaises(HTTPError, lambda: r.params) - finally: - BaseRequest.MAX_PARAMS = old_value - def test_user_defined_attributes(self): for cls in (BaseRequest, LocalRequest): r = cls() |