Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

♻️ Refactor header option parser to use the standard library instead of a custom RegEx #75

Merged
merged 1 commit into from
Feb 3, 2024

Conversation

tiangolo
Copy link
Contributor

@tiangolo tiangolo commented Feb 3, 2024

♻️ Refactor header option parser to use the standard library instead of a custom RegEx

This uses the internal standard library module to parse MIME type (Content-Type) parameters instead of using a manual RegEx.

With inspiration from Baize: https://github.com/abersheeran/baize/blob/174c21a044cdc69b637f70030c0aad2dc8be5de1/baize/utils.py#L39-L76 but instead of copy-pasting utils from the standard library, using the suggested approach in the PEP, using another utility.

Ref: https://peps.python.org/pep-0594/#cgi

@Kludex Kludex merged commit 20f0ef6 into Kludex:master Feb 3, 2024
5 checks passed
@tiangolo tiangolo deleted the refactor-option-parser branch February 3, 2024 11:57
@darakian
Copy link

darakian commented Feb 8, 2024

Hey @Kludex, random question but could I ask you to make a security advisory for python-multipart for the versions affected by this issue? We (github) have gotten asks over on github/advisory-database#3479 to add your package as affected. We've got docs on advisories here
https://docs.github.com/en/code-security/security-advisories
but tl;dr if you click into the security tab you can make a new advisory in there.

Given that the issue discussed in the PR above is fundamentally rooted in this project we think it would be ideal if you would be willing to make an advisory 🙇

@Kludex
Copy link
Owner

Kludex commented Feb 8, 2024

I can't create advisories in this repository. I'm not the owner.

@Kludex
Copy link
Owner

Kludex commented Feb 8, 2024

I'll email the owner, and ask to be transferred.

@darakian
Copy link

darakian commented Feb 8, 2024

Thank you much and sorry to bug 🙇

@andrew-d
Copy link
Collaborator

andrew-d commented Feb 8, 2024

Also, apologies on my part for being absent here; I'm coordinating with @Kludex to transfer this repository to the encode organization. I appreciate all the contributors that stepped in after I stopped being involved, and I'm excited to hand this off officially 😃

@Kludex
Copy link
Owner

Kludex commented Feb 12, 2024

@darakian I'll create the advisory here today.

Do you know if advisories can be deleted from other repositories e.g. FastAPI and Starlette?

@darakian
Copy link

darakian commented Feb 12, 2024

@darakian I'll create the advisory here today.

Many thanks. I'll keep my eyes open for it 👀
Looks like we're already live with it GHSA-2jv5-9r88-3w3p

Do you know if advisories can be deleted from other repositories e.g. FastAPI and Starlette?

They cannot. The best thing to do with those (IMO) is to make them specifically about which versions bundled the affected versions of python-multipart.

@levrik
Copy link

levrik commented Feb 16, 2024

It seems that this change broke parsing of extended syntax for UTF-8 file names (e.g. filename*=utf-8'') as defined in https://www.rfc-editor.org/rfc/rfc5987. Multipart uploads from a few customers to our API using this syntax stopped working after updating to 0.0.7.

@tiangolo
Copy link
Contributor Author

@levrik yep, it was fixed in #79 and released as 0.0.8.

@levrik
Copy link

levrik commented Feb 16, 2024

@tiangolo That wasn't clear from the release notes as they only described internals of Python's stdlib instead of the effects it has on the usage of this library. But thanks. Upgrading now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants