Merge 3.0.x (#2801)

pallets · Oct 24, 2023 · f3c803b · f3c803b
2 parents 726eaa2 + 48a6560
commit f3c803b
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,5 +1,13 @@
 .. currentmodule:: werkzeug
 
+Version 3.0.1
+-------------
+
+Released 2023-10-24
+
+-   Fix slow multipart parsing for large parts potentially enabling DoS
+    attacks. :cwe:`CWE-407`
+
 Version 3.0.0
 -------------
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "Werkzeug"
-version = "3.0.0"
+version = "3.0.1"
 description = "The comprehensive WSGI web application library."
 readme = "README.rst"
 license = {file = "LICENSE.rst"}

diff --git a/src/werkzeug/sansio/multipart.py b/src/werkzeug/sansio/multipart.py
@@ -251,12 +251,20 @@ def _parse_data(self, data: bytes, *, start: bool) -> tuple[bytes, int, bool]:
         else:
             data_start = 0
 
-        if self.buffer.find(b"--" + self.boundary) == -1:
+        boundary = b"--" + self.boundary
+
+        if self.buffer.find(boundary) == -1:
             # No complete boundary in the buffer, but there may be
             # a partial boundary at the end. As the boundary
             # starts with either a nl or cr find the earliest and
             # return up to that as data.
             data_end = del_index = self.last_newline(data[data_start:]) + data_start
+            # If amount of data after last newline is far from
+            # possible length of partial boundary, we should
+            # assume that there is no partial boundary in the buffer
+            # and return all pending data.
+            if (len(data) - data_end) > len(b"\n" + boundary):
+                data_end = del_index = len(data)
             more_data = True
         else:
             match = self.boundary_re.search(data)