Handle malformed RFC 2231 continuations in parse_options_header#270
Conversation
…zed RFC 2231 index
…FC 2231 continuations
manunio
changed the title
Kludex
changed the title
Kludex
changed the title
parse_options_header
|
Thanks @manunio 🙏 |
|
I’m returning the header as is to avoid regex magic for parser differences between python versions. |
|
@Kludex i have also updated the cifuzz action as the fix for oss-fuzz sarif bug was merged recently. |
|
Hi @Kludex Just checking in to see if there is anything else you need from my side to get this merged. |
|
I don't want the behavior to be different in different Python versions (and I don't think we should use I just noticed the above after checking it properly. |
|
I didn't have time to propose improvements, that's why I went silent here. |
…ons and rollbacked the tests for consistent behavior across diff python version.
|
Thanks for the review, I have update the code and test, so that it stays consistent against diff python version. |
|
I have been fuzzing the Edit: I’ve now been running this all day with no issues. I think it’s good to go. |
manunio
force-pushed
the
fix-bugs-found-by-fuzz
branch
from
c7c652e to
1ac1269
Compare
|
Hi @Kludex, Please review this whenever you're free. |
…ME parameters and update parse_options_header to use it
|
I have update the code to handle a false positive edge case(earlier fix was not handelling the the semicolon inside quoted string well). |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b051895e62
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Remove the pre-check and `_split_mime_parameters` helper. The only cross-version divergence is mixed `filename*` + `filename*0*` continuations, which raise `TypeError` on 3.12 but return a value on 3.13+. Accept that small inconsistency until 3.12 EOL rather than maintain a parallel MIME splitter; the `try/except` still covers the oversized-index `ValueError` on every supported version. Gate the mixed-continuations test on Python < 3.13 and add a TODO to drop the `TypeError` arm when 3.12 reaches EOL.
Kludex
left a comment
Kludex
left a comment
There was a problem hiding this comment.
@manunio Sorry for the delay and back and forth in this PR. Nowadays, given AI, your contributions are the ones that I enjoy the most.
I've thought a bit more about this, and I think the simpler solution you had before was fine - with the tweak that I actually want a path forward for when we drop Python 3.12.
2 participants
Summary
ValueError(oversized RFC 2231 index) andTypeError(mixed continuation forms) fromMessage.get_params()email.message.Message.get_params()handles these maliciously formed headers differently in Python 3.12 vs 3.13Why
parse_options_headerrelied on stdlib email parsing that can raise different exception types for malformed parameter continuations. These changes keep existing behavior while making parser failure handling robust and preventing constant fuzzer crashes(improves its performance)Validation
uv run pytest -quv run ruff check python_multipart/exceptions.py python_multipart/multipart.py tests/test_multipart.py