Skip to content

Build(deps): [security] bump python-multipart from 0.0.7 to 0.0.18

Ronan Amicel requested to merge dependabot-pip-python-multipart-0.0.18 into main

Bumps python-multipart from 0.0.7 to 0.0.18. This update includes a security fix.

Vulnerabilities fixed

Denial of service (DoS) via deformation multipart/form-data boundary

Summary

When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.

An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).

Impact

Applications that use python-multipart to parse form data (or use frameworks that do so) are affected.

Original Report

This security issue was reported by:

  • GitHub security advisory in Starlette on October 30 by @​Startr4ck
  • Email to python-multipart maintainer on October 3 by @​mnqazi

Patched versions: 0.0.18
Affected versions: < 0.0.18

Release notes

Sourced from python-multipart's releases.

Version 0.0.18

What's Changed

Full Changelog: https://github.com/Kludex/python-multipart/compare/0.0.17...0.0.18

Version 0.0.17

What's Changed

Full Changelog: https://github.com/Kludex/python-multipart/compare/0.0.16...0.0.17

Version 0.0.16

What's Changed

Full Changelog: https://github.com/Kludex/python-multipart/compare/0.0.15...0.0.16

Version 0.0.15

What's Changed

  • Replace FutureWarning to PendingDeprecationWarning #174.
  • Add missing files to SDist #171.

Full Changelog: https://github.com/Kludex/python-multipart/compare/0.0.14...0.0.15

Version 0.0.14

What's Changed

Full Changelog: https://github.com/Kludex/python-multipart/compare/0.0.13...0.0.14

Version 0.0.13

What's Changed

New Contributors

Full Changelog: https://github.com/Kludex/python-multipart/compare/0.0.12...0.0.13

... (truncated)

Changelog

Sourced from python-multipart's changelog.

0.0.18 (2024-11-28)

  • Hard break if found data after last boundary on MultipartParser #189.

0.0.17 (2024-10-31)

  • Handle PermissionError in fallback code for old import name #182.

0.0.16 (2024-10-27)

  • Add dunder attributes to multipart package #177.

0.0.15 (2024-10-27)

  • Replace FutureWarning to PendingDeprecationWarning #174.
  • Add missing files to SDist #171.

0.0.14 (2024-10-24)

  • Fix import scheme for multipart module (#168).

0.0.13 (2024-10-20)

  • Rename import to python_multipart #166.

0.0.12 (2024-09-29)

  • Improve error message when boundary character does not match #124.
  • Add mypy strict typing #140.
  • Enforce 100% coverage #159.

0.0.11 (2024-09-28)

  • Improve performance, especially in data with many CR-LF #137.
  • Handle invalid CRLF in header name #141.

0.0.10 (2024-09-21)

  • Support on_header_begin #103.
  • Improve type hints on FormParser #104.
  • Fix OnFileCallback type #106.
  • Improve type hints #110.
  • Improve type hints on File #111.
  • Add type hint to helper functions #112.
  • Minor fix for Field.repr #114.
  • Fix use of chunk_size parameter #136.
  • Allow digits and valid token chars in headers #134.
  • Fix headers being carried between parts #135.

0.0.9 (2024-02-10)

... (truncated)

Commits

Merge request reports