diff options
author | matthewbelisle-wf <matthew.belisle@workiva.com> | 2018-10-30 16:16:26 -0500 |
---|---|---|
committer | Victor Stinner <vstinner@redhat.com> | 2018-10-30 22:16:26 +0100 |
commit | bc6f74a520112d25ef40324e3de4e8187ff2835d (patch) | |
tree | 6240dc59ea6b1ca83094e0390f77bc8d013ebf6c /Doc | |
parent | 64ffee7ad2655c7de9b3b6548aad0c317877ec49 (diff) | |
download | cpython-git-bc6f74a520112d25ef40324e3de4e8187ff2835d.tar.gz |
bpo-34866: Add max_num_fields to cgi.FieldStorage (GH-9660) (GH-9969)
Adding `max_num_fields` to `cgi.FieldStorage` to make DOS attacks harder by
limiting the number of `MiniFieldStorage` objects created by `FieldStorage`.
(cherry picked from commit 209144831b0a19715bda3bd72b14a3e6192d9cc1)
Diffstat (limited to 'Doc')
-rw-r--r-- | Doc/library/cgi.rst | 4 | ||||
-rw-r--r-- | Doc/library/urlparse.rst | 16 |
2 files changed, 16 insertions, 4 deletions
diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst index 1bfdb39067..ecd62c8c01 100644 --- a/Doc/library/cgi.rst +++ b/Doc/library/cgi.rst @@ -292,12 +292,12 @@ algorithms implemented in this module in other circumstances. passed to :func:`urlparse.parse_qs` unchanged. -.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing]]) +.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]]) This function is deprecated in this module. Use :func:`urlparse.parse_qs` instead. It is maintained here only for backward compatibility. -.. function:: parse_qsl(qs[, keep_blank_values[, strict_parsing]]) +.. function:: parse_qsl(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]]) This function is deprecated in this module. Use :func:`urlparse.parse_qsl` instead. It is maintained here only for backward compatibility. diff --git a/Doc/library/urlparse.rst b/Doc/library/urlparse.rst index b933dda3d2..22249da54f 100644 --- a/Doc/library/urlparse.rst +++ b/Doc/library/urlparse.rst @@ -126,7 +126,7 @@ The :mod:`urlparse` module defines the following functions: Added IPv6 URL parsing capabilities. -.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing]]) +.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]]) Parse a query string given as a string argument (data of type :mimetype:`application/x-www-form-urlencoded`). Data are returned as a @@ -143,14 +143,20 @@ The :mod:`urlparse` module defines the following functions: parsing errors. If false (the default), errors are silently ignored. If true, errors raise a :exc:`ValueError` exception. + The optional argument *max_num_fields* is the maximum number of fields to + read. If set, then throws a :exc:`ValueError` if there are more than + *max_num_fields* fields read. + Use the :func:`urllib.urlencode` function to convert such dictionaries into query strings. .. versionadded:: 2.6 Copied from the :mod:`cgi` module. + .. versionchanged:: 2.7.16 + Added *max_num_fields* parameter. -.. function:: parse_qsl(qs[, keep_blank_values[, strict_parsing]]) +.. function:: parse_qsl(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]]) Parse a query string given as a string argument (data of type :mimetype:`application/x-www-form-urlencoded`). Data are returned as a list of @@ -166,12 +172,18 @@ The :mod:`urlparse` module defines the following functions: parsing errors. If false (the default), errors are silently ignored. If true, errors raise a :exc:`ValueError` exception. + The optional argument *max_num_fields* is the maximum number of fields to + read. If set, then throws a :exc:`ValueError` if there are more than + *max_num_fields* fields read. + Use the :func:`urllib.urlencode` function to convert such lists of pairs into query strings. .. versionadded:: 2.6 Copied from the :mod:`cgi` module. + .. versionchanged:: 2.7.16 + Added *max_num_fields* parameter. .. function:: urlunparse(parts) |