summaryrefslogtreecommitdiff
path: root/src/services/vyos-http-api-server
diff options
context:
space:
mode:
authorJohn Estabrook <jestabro@vyos.io>2021-06-12 11:43:29 -0500
committerJohn Estabrook <jestabro@vyos.io>2021-11-07 15:21:50 -0600
commit8b8c2b36f85072def2bbb59040305e19b187a399 (patch)
tree66a5683ff29b5498d9a27301ce2e599096051078 /src/services/vyos-http-api-server
parent37c3ebc8aba14ba7605fbbb9c4013cbd2513400d (diff)
downloadvyos-1x-8b8c2b36f85072def2bbb59040305e19b187a399.tar.gz
vyos-1x-8b8c2b36f85072def2bbb59040305e19b187a399.zip
http-api: T3616: update for strict content-type check in FastAPI 0.65.2
FastAPI 0.65.2 checks content-type request header before assuming JSON, closing a well-known loophole. This requires a modification of the code providing backwards compatibility of multipart forms. (cherry picked from commit 3a9041e2d4d4a48ba7c01439e69c5f86a4a850c2)
Diffstat (limited to 'src/services/vyos-http-api-server')
-rwxr-xr-xsrc/services/vyos-http-api-server32
1 files changed, 32 insertions, 0 deletions
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index 8069d7146..cbf321dc8 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -32,6 +32,9 @@ from fastapi.responses import HTMLResponse
from fastapi.exceptions import RequestValidationError
from fastapi.routing import APIRoute
from pydantic import BaseModel, StrictStr, validator
+from starlette.datastructures import FormData, MutableHeaders
+from starlette.formparsers import FormParser, MultiPartParser
+from multipart.multipart import parse_options_header
import vyos.config
@@ -236,6 +239,35 @@ class MultipartRequest(Request):
ERR_PATH_NOT_LIST_OF_STR = False
offending_command = {}
exception = None
+
+ @property
+ def orig_headers(self):
+ self._orig_headers = super().headers
+ return self._orig_headers
+
+ @property
+ def headers(self):
+ self._headers = super().headers.mutablecopy()
+ self._headers['content-type'] = 'application/json'
+ return self._headers
+
+ async def form(self) -> FormData:
+ if not hasattr(self, "_form"):
+ assert (
+ parse_options_header is not None
+ ), "The `python-multipart` library must be installed to use form parsing."
+ content_type_header = self.orig_headers.get("Content-Type")
+ content_type, options = parse_options_header(content_type_header)
+ if content_type == b"multipart/form-data":
+ multipart_parser = MultiPartParser(self.orig_headers, self.stream())
+ self._form = await multipart_parser.parse()
+ elif content_type == b"application/x-www-form-urlencoded":
+ form_parser = FormParser(self.orig_headers, self.stream())
+ self._form = await form_parser.parse()
+ else:
+ self._form = FormData()
+ return self._form
+
async def body(self) -> bytes:
if not hasattr(self, "_body"):
forms = {}