Insufficient input validation of content-type 'multipart/form-data' #1125
Description
Checklist
- The bug is reproducible against the latest release and/or
master. - There are no similar issues or pull requests to fix it yet.
Describe the bug
Not actually a bug, but insufficient input validation.
To reproduce
Provide POST input (e.g. with postman) with content-type 'multipart/form-data' but without boundary parameter.
Expected behavior
Shall return 4xx error code. According to rfc7578 boundary is a required parameter.
Actual behavior
None boundary is passed to multipart library and an exception is raised there.
Debugging material
TypeError: can't concat NoneType to bytes
File "starlette/middleware/trustedhost.py", line 51, in __call__
await self.app(scope, receive, send)
File "starlette/middleware/sessions.py", line 75, in __call__
await self.app(scope, receive, send_wrapper)
File "cpms/middleware.py", line 55, in __call__
await self.app(scope, receive, send)
File "starlette/middleware/authentication.py", line 48, in __call__
await self.app(scope, receive, send)
File "starlette/exceptions.py", line 82, in __call__
raise exc from None
File "starlette/exceptions.py", line 71, in __call__
await self.app(scope, receive, sender)
File "starlette/routing.py", line 582, in __call__
await route.handle(scope, receive, send)
File "starlette/routing.py", line 243, in handle
await self.app(scope, receive, send)
File "starlette/routing.py", line 54, in app
response = await func(request)
File "starlette/authentication.py", line 69, in async_wrapper
return await func(*args, **kwargs)
File "cpms/views/files.py", line 90, in decorator
return await endpoint(request)
File "cpms/views/files.py", line 133, in upload_files
for f_name, f_value in (await request.form()).items():
File "starlette/requests.py", line 240, in form
self._form = await multipart_parser.parse()
File "starlette/formparsers.py", line 181, in parse
parser = multipart.MultipartParser(boundary, callbacks)
File "multipart/multipart.py", line 1042, in __init__
self.boundary = b'\r\n--' + boundary
Environment
- OS: OpenBSD 6.7
- Python version: 3.7.9
- Starlette version: 0.14.1
Additional context
The problem occurs due insufficient checking of the input on line 166 of starlette/formparsers.py
boundary = params.get(b"boundary")
It is better to replace it with:
boundary = params[b"boundary"]
so exception at early stage will be raised.
Or make an additional input validation.
boundary = params.get(b"boundary")
if not boundary:
raise HTTPException(status_code=400)