Fix multipart parsing bug

Escape special regex characters from the boundary before placing into the regexs used to locate the boundaries in the multipart data.
pallets · May 14, 2021 · 3f8a95f · 3f8a95f
1 parent c3236f1
commit 3f8a95f
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -12,6 +12,8 @@ Unreleased
 -   Fix some types that weren't available in Python 3.6.0. :issue:`2123`
 -   ``cached_property`` is generic over its return type, properties
     decorated with it report the correct type. :issue:`2113`
+-   Fix multipart parsing bug when boundary contains special regex
+    characters. :issue:`2125`
 
 
 Version 2.0.0

diff --git a/src/werkzeug/sansio/multipart.py b/src/werkzeug/sansio/multipart.py
@@ -101,7 +101,7 @@ def __init__(
         # group to understand if it is an epilogue boundary.
         self.preamble_re = re.compile(
             br"%s?--%s(--[^\S\n\r]*%s?|[^\S\n\r]*%s)"
-            % (LINE_BREAK, boundary, LINE_BREAK, LINE_BREAK),
+            % (LINE_BREAK, re.escape(boundary), LINE_BREAK, LINE_BREAK),
             re.MULTILINE,
         )
         # A boundary must include a line break prefix and suffix, and
@@ -110,7 +110,7 @@ def __init__(
         # understand if it is an epilogue boundary.
         self.boundary_re = re.compile(
             br"%s--%s(--[^\S\n\r]*%s?|[^\S\n\r]*%s)"
-            % (LINE_BREAK, boundary, LINE_BREAK, LINE_BREAK),
+            % (LINE_BREAK, re.escape(boundary), LINE_BREAK, LINE_BREAK),
             re.MULTILINE,
         )
 

diff --git a/tests/sansio/test_multipart.py b/tests/sansio/test_multipart.py
@@ -10,18 +10,18 @@
 
 
 def test_decoder_simple() -> None:
-    boundary = b"---------------------------9704338192090380615194531385"
+    boundary = b"---------------------------9704338192090380615194531385$"
     decoder = MultipartDecoder(boundary)
     data = """
------------------------------9704338192090380615194531385
+-----------------------------9704338192090380615194531385$
 Content-Disposition: form-data; name="fname"
 
 ß∑œß∂ƒå∂
------------------------------9704338192090380615194531385
+-----------------------------9704338192090380615194531385$
 Content-Disposition: form-data; name="lname"; filename="bob"
 
 asdasd
------------------------------9704338192090380615194531385--
+-----------------------------9704338192090380615194531385$--
     """.replace(
         "\n", "\r\n"
     ).encode(