Skip to content

Fix multipart parsing for empty body parts #11857

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
magicmark wants to merge 22 commits into
base: master
Choose a base branch
from
Open

Fix multipart parsing for empty body parts #11857

magicmark wants to merge 22 commits into from
+34 −5

Conversation

@magicmark
Copy link

@magicmark magicmark commented Dec 19, 2025
edited
Loading

What do these changes do?

Adds a failing test case that demonstrates an edge-case when parsing empty parts before the final boundary marker. I believe this is a valid payload, but currently blows up.

Are there changes in behavior for the user?

No. This PR only adds a test marked with @pytest.mark.xfail to add a failing test to demonstrate. I will follow up with a fix if we agree this is a bug.

Is it a substantial burden for the maintainers to support this?

No.

Checklist

  • I think the code is well written excellent
  • Unit tests for the changes exist
  • Documentation reflects the changes
  • If you provide code modification, please add yourself to CONTRIBUTORS.txt
  • Add a new news fragment into the CHANGES/ folder

@magicmark magicmark requested a review from asvetlov as a code owner December 19, 2025 20:14
@magicmark magicmark requested a review from webknjaz as a code owner December 19, 2025 20:15
@magicmark
Copy link
Author

magicmark commented Dec 19, 2025
edited
Loading

FWIW, a real world application of this:

https://strawberry.rocks/docs/general/multipart-subscriptions

Minimal implementation here: https://github.com/magicmark/gql-book-server/

Raw response:

curl -X POST https://gql-book-server.fly.dev/graphql \
     -H "Content-Type: application/json" \
     -H "Accept: multipart/mixed;boundary=graphql;subscriptionSpec=1.0,application/json" \
     -d '{"query":"subscription GetBook { book(target: 2) { title author } }"}'

Content-Type: application/json; charset=utf-8
Content-Length: 2

{}
--graphql
Content-Type: application/json; charset=utf-8
Content-Length: 95

{"payload": {"data": {"book": {"title": "A Tale of Two Cities", "author": "Charles Dickens"}}}}
--graphql
Content-Type: application/json; charset=utf-8
Content-Length: 84

{"payload": {"data": {"book": {"title": "Animal Farm", "author": "George Orwell"}}}}
--graphql
--graphql--

It's also possible the fix needs to be made in Strawberry? cc @patrick91 @erikwrede

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 19, 2025
View reviewed changes
@codecov
Copy link

codecov bot commented Dec 19, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.74%. Comparing base (8b919d3) to head (ac1cba1).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11857      +/-   ##
==========================================
- Coverage   98.74%   98.74%   -0.01%     
==========================================
  Files         127      127              
  Lines       44171    44187      +16     
  Branches     2342     2343       +1     
==========================================
+ Hits        43618    43631      +13     
- Misses        392      395       +3     
  Partials      161      161
Flag Coverage Δ
CI-GHA 98.60% <100.00%> (-0.01%) ⬇️
OS-Linux 98.34% <100.00%> (-0.01%) ⬇️
OS-Windows 96.68% <100.00%> (+<0.01%) ⬆️
OS-macOS 97.56% <100.00%> (+<0.01%) ⬆️
Py-3.10.11 97.10% <100.00%> (-0.02%) ⬇️
Py-3.10.19 97.60% <100.00%> (-0.01%) ⬇️
Py-3.11.14 97.80% <100.00%> (-0.01%) ⬇️
Py-3.11.9 97.31% <100.00%> (+<0.01%) ⬆️
Py-3.12.10 97.41% <100.00%> (+<0.01%) ⬆️
Py-3.12.12 97.91% <100.00%> (+<0.01%) ⬆️
Py-3.13.11 98.16% <100.00%> (-0.01%) ⬇️
Py-3.14.2 98.17% <100.00%> (+<0.01%) ⬆️
Py-3.14.2t 97.25% <100.00%> (+<0.01%) ⬆️
Py-pypy3.11.13-7.3.20 97.41% <100.00%> (+<0.01%) ⬆️
VM-macos 97.56% <100.00%> (+<0.01%) ⬆️
VM-ubuntu 98.34% <100.00%> (-0.01%) ⬇️
VM-windows 96.68% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@codspeed-hq
Copy link

codspeed-hq bot commented Dec 19, 2025
edited
Loading

CodSpeed Performance Report

Merging #11857 will not alter performance

Comparing magicmark:add_failing_test_for_empty_part (ac1cba1) with master (8b919d3)

Summary

✅ 59 untouched

@magicmark magicmark mentioned this pull request Dec 19, 2025
Open
@magicmark magicmark force-pushed the add_failing_test_for_empty_part branch from 764cb47 to 0e70964 Compare December 19, 2025 22:57
@Dreamsorcerer
Copy link
Member

Dreamsorcerer commented Dec 20, 2025
edited
Loading

After its boundary delimiter line, each body part then consists of a header area, a blank line, and a body area.
...
A body part that starts with a blank line, therefore, is allowed and is a body part for which all default values are to be assumed.
https://datatracker.ietf.org/doc/html/rfc2046#section-5.1

It is then terminated by either another CRLF and the header fields for the next part, or by two CRLFs
...

     encapsulation := delimiter transport-padding
                     CRLF body-part

    delimiter := CRLF dash-boundary

    close-delimiter := delimiter "--"

https://datatracker.ietf.org/doc/html/rfc2046#section-5.1.1

So, an empty body part looks like:

\r
--graphql\r
\r
--graphql--

So, the example provided appears to be invalid syntax to me (not to mention that it seems illogical to be wasting bandwidth sending nothing). If we allowed this, there's a possibility it could open up an HTTP request smuggling vulnerability.

Dreamsorcerer
Dreamsorcerer reviewed Dec 20, 2025
View reviewed changes
@magicmark
Copy link
Author

magicmark commented Dec 20, 2025

Thanks @Dreamsorcerer.

Will make the fix in Strawberry then.

@magicmark magicmark closed this Dec 20, 2025
@Dreamsorcerer
Copy link
Member

Dreamsorcerer commented Dec 20, 2025

Tests are still xfailing with correct syntax, so there may be a fix needed in both.

@Dreamsorcerer Dreamsorcerer reopened this Dec 20, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 20, 2025
View reviewed changes
Dreamsorcerer
Dreamsorcerer reviewed Dec 20, 2025
View reviewed changes
@Dreamsorcerer
Copy link
Member

Dreamsorcerer commented Dec 20, 2025

OK, I have a fix. Going to make some tweaks to the this test and then will followup with the actual fix.

@Dreamsorcerer Dreamsorcerer added the bot:chronographer:skip This PR does not need to include a change note label Dec 20, 2025
@Dreamsorcerer Dreamsorcerer added backport-3.13 Trigger automatic backporting to the 3.13 release branch by Patchback robot backport-3.14 Trigger automatic backporting to the 3.14 release branch by Patchback robot labels Dec 20, 2025
@Dreamsorcerer
Copy link
Member

Dreamsorcerer commented Dec 20, 2025

Causes too many warnings. Will have to add the fix here.

@Dreamsorcerer Dreamsorcerer changed the title Add failing test for empty multipart response part Fix multipart parsing for empty body parts Dec 20, 2025
@Dreamsorcerer Dreamsorcerer removed the bot:chronographer:skip This PR does not need to include a change note label Dec 20, 2025
@psf-chronographer psf-chronographer bot added the bot:chronographer:provided There is a change note present in this PR label Dec 20, 2025
@Dreamsorcerer Dreamsorcerer requested a review from bdraco December 20, 2025 20:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Dreamsorcerer Dreamsorcerer Dreamsorcerer left review comments

@asvetlov asvetlov Awaiting requested review from asvetlov asvetlov is a code owner

@webknjaz webknjaz Awaiting requested review from webknjaz webknjaz is a code owner

@bdraco bdraco Awaiting requested review from bdraco

Assignees

No one assigned

Labels

backport-3.13 Trigger automatic backporting to the 3.13 release branch by Patchback robot backport-3.14 Trigger automatic backporting to the 3.14 release branch by Patchback robot bot:chronographer:provided There is a change note present in this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@magicmark @Dreamsorcerer