Re: [Python-Dev] [Web-SIG] py3k, cgi, email, and form-data

2009-05-12 Thread Graham Dumpleton 
2009/5/12 Robert Brewer :
> There's a major change in functionality in the cgi module between Python
> 2 and Python 3 which I've just run across: the behavior of
> FieldStorage.read_multi, specifically when an HTTP app accepts a file
> upload within a multipart/form-data payload.
>
> In Python 2, each part would be read in sequence within its own
> FieldStorage instance. This allowed file uploads to be shunted to a
> TemporaryFile (via make_file) as needed:
>
>     klass = self.FieldStorageClass or self.__class__
>     part = klass(self.fp, {}, ib,
>  environ, keep_blank_values, strict_parsing)
>     # Throw first part away
>     while not part.done:
>     headers = rfc822.Message(self.fp)
>     part = klass(self.fp, headers, ib,
>  environ, keep_blank_values, strict_parsing)
>     self.list.append(part)
>
> In Python 3 (svn revision 72466), the whole request body is read into
> memory first via fp.read(), and then broken into separate parts in a
> second step:
>
>     klass = self.FieldStorageClass or self.__class__
>     parser = email.parser.FeedParser()
>     # Create bogus content-type header for proper multipart parsing
>     parser.feed('Content-Type: %s; boundary=%s\r\n\r\n' % (self.type, ib))
>     parser.feed(self.fp.read())
>     full_msg = parser.close()
>     # Get subparts
>     msgs = full_msg.get_payload()
>     for msg in msgs:
>     fp = StringIO(msg.get_payload())
>     part = klass(fp, msg, ib, environ, keep_blank_values,
>  strict_parsing)
>     self.list.append(part)
>
> This makes the cgi module in Python 3 somewhat crippled for handling
> multipart/form-data file uploads of any significant size (and since
> the client is the one determining the size, opens a server up for an
> unexpected Denial of Service vector).
>
> I *think* the FeedParser is designed to accept incremental writes,
> but I haven't yet found a way to do any kind of incremental reads
> from it in order to shunt the fp.read out to a tempfile again.
> I'm secretly hoping Barry has a one-liner fix for this. ;)

FWIW, Werkzeug gave up on 'cgi' module for form passing and implements its own.

Not sure whether this issue in Python 3.0 was one of the reasons or
not. I know one of the reasons was because cgi.FieldStorage is not
WSGI 1.0 compliant. One of the main reasons that no one actually
adheres to WSGI 1.0 is because of the 'cgi' module. This still hasn't
been addressed by a proper amendment to WSGI 1.0 specification or a
new WSGI 1.1 specification to allow a hint to readline().

The Werkzeug form processing module is properly WSGI 1.0 compliant,
meaning that Wekzeug is possibly the only major WSGI framework to be
WSGI compliant.

Graham
___
Python-Dev mailing list
[email protected]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] switching on -3 from within a program?

2008-09-17 Thread Graham Dumpleton 
On Sep 17, 1:32 am, Anthon van der Neut <[EMAIL PROTECTED]> wrote:
> With a minor modification to the Makefile I was able to getmod_wsgi
> v2.3 to work with python2.6rc1.

Which I believe was still required only because you have only
installed static Python library. :-)

> I promptly got a warning in my apache log files on the depcrecated use
> of 'sha' in the paste's cookie module, good! And easily fixed.
>
> After that I was looking for a way to switch on the -3 warnings from
> within my code to have extra warnings show up in my apache log file.

Check out mod_wsgi from subversion repository:

 svn co http://modwsgi.googlecode.com/svn/trunk/mod_wsgi

and build that.

When Pyhton 2.6 is being used, you should be able to have in Apache
configuration file at server scope.

  WSGIPy3kWarningFlag On

You must not be loading mod_python at same time else this will not be
honoured.

Graham

> After reading some documentation I tried from the python2.6 prompt:
>
> import sys
> sys.py3kwarning = True
> x = { 'abc': 1 }; x.has_key('abc')
>
> which does not give a warning (starting python2.6 with the -3 option of
> course does).
>
> Is there anyway to switch this on from within a program with a Python
> statement?
> If not, would I need to make a small C-extension module (to be imported
> as the first module) that sets Py_Py3WarningFlag or something else at
> the C level, or would that better be done bymod_wsgi'sC code.
>
> Regards
> Anthon
> ___
> Python-Dev mailing list
> [EMAIL PROTECTED]://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:http://mail.python.org/mailman/options/python-dev/python-dev2-garchiv...
___
Python-Dev mailing list
[email protected]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com