bpo-35028: cgi: Fix max_num_fields off by one error (GH-9973)

matthewbelisle-wf · miss-islington · commit b79b5c09493e · 2018-10-23T01:14:35.000-07:00
https://bugs.python.org/issue35028
diff --git a/Lib/cgi.py b/Lib/cgi.py
@@ -618,6 +618,11 @@ def read_multi(self, environ, keep_blank_values, strict_parsing):
             first_line = self.fp.readline()
             self.bytes_read += len(first_line)
 
+        # Propagate max_num_fields into the sub class appropriately
+        max_num_fields = self.max_num_fields
+        if max_num_fields is not None:
+            max_num_fields -= len(self.list)
+
         while True:
             parser = FeedParser()
             hdr_text = b""
@@ -637,23 +642,19 @@ def read_multi(self, environ, keep_blank_values, strict_parsing):
             if 'content-length' in headers:
                 del headers['content-length']
 
-            # Propagate max_num_fields into the sub class appropriately
-            sub_max_num_fields = self.max_num_fields
-            if sub_max_num_fields is not None:
-                sub_max_num_fields -= len(self.list)
-
             part = klass(self.fp, headers, ib, environ, keep_blank_values,
                          strict_parsing,self.limit-self.bytes_read,
-                         self.encoding, self.errors, sub_max_num_fields)
+                         self.encoding, self.errors, max_num_fields)
 
-            max_num_fields = self.max_num_fields
-            if max_num_fields is not None and part.list:
-                max_num_fields -= len(part.list)
+            if max_num_fields is not None:
+                max_num_fields -= 1
+                if part.list:
+                    max_num_fields -= len(part.list)
+                if max_num_fields < 0:
+                    raise ValueError('Max number of fields exceeded')
 
             self.bytes_read += part.bytes_read
             self.list.append(part)
-            if max_num_fields is not None and max_num_fields < len(self.list):
-                raise ValueError('Max number of fields exceeded')
             if part.done or self.bytes_read >= self.length > 0:
                 break
         self.skip_lines()
diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py
@@ -401,33 +401,38 @@ def test_max_num_fields(self):
         data = """---123
 Content-Disposition: form-data; name="a"
 
-a
+3
 ---123
 Content-Type: application/x-www-form-urlencoded
 
-a=a&a=a
+a=4
+---123
+Content-Type: application/x-www-form-urlencoded
+
+a=5
 ---123--
 """
         environ = {
             'CONTENT_LENGTH':   str(len(data)),
             'CONTENT_TYPE':     'multipart/form-data; boundary=-123',
-            'QUERY_STRING':     'a=a&a=a',
+            'QUERY_STRING':     'a=1&a=2',
             'REQUEST_METHOD':   'POST',
         }
 
         # 2 GET entities
-        # 2 top level POST entities
-        # 2 entities within the second POST entity
+        # 1 top level POST entities
+        # 1 entity within the second POST entity
+        # 1 entity within the third POST entity
         with self.assertRaises(ValueError):
             cgi.FieldStorage(
                 fp=BytesIO(data.encode()),
                 environ=environ,
-                max_num_fields=5,
+                max_num_fields=4,
             )
         cgi.FieldStorage(
             fp=BytesIO(data.encode()),
             environ=environ,
-            max_num_fields=6,
+            max_num_fields=5,
         )
 
     def testQSAndFormData(self):
