From 2c639571ec23a52cb0bbb172ba8c1f18afe58e33 Mon Sep 17 00:00:00 2001 From: Viktor Lomakin Date: Mon, 5 Aug 2024 22:53:03 +0300 Subject: [PATCH] Fix UnicodeDecodeError issue (#2930) --- src/werkzeug/formparser.py | 3 +++ tests/test_formparser.py | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/src/werkzeug/formparser.py b/src/werkzeug/formparser.py index ba84721e37..44e531d0e6 100644 --- a/src/werkzeug/formparser.py +++ b/src/werkzeug/formparser.py @@ -8,6 +8,7 @@ from .datastructures import FileStorage from .datastructures import Headers from .datastructures import MultiDict +from .exceptions import BadRequest from .exceptions import RequestEntityTooLarge from .http import parse_options_header from .sansio.multipart import Data @@ -287,6 +288,8 @@ def _parse_urlencoded( keep_blank_values=True, errors="werkzeug.url_quote", ) + except UnicodeDecodeError as e: + raise BadRequest() from e except ValueError as e: raise RequestEntityTooLarge() from e diff --git a/tests/test_formparser.py b/tests/test_formparser.py index 1ecb012082..cd82f79d8a 100644 --- a/tests/test_formparser.py +++ b/tests/test_formparser.py @@ -7,6 +7,7 @@ from werkzeug import formparser from werkzeug.datastructures import MultiDict +from werkzeug.exceptions import BadRequest from werkzeug.exceptions import RequestEntityTooLarge from werkzeug.formparser import FormDataParser from werkzeug.formparser import parse_form_data @@ -80,6 +81,14 @@ def test_limiting(self): # content-length was set, so request could exit early without reading anything assert input_stream.read() == b"foo=123456" + input_stream = io.BytesIO(b"\x80") + req = Request.from_values( + input_stream=input_stream, + content_type="application/x-www-form-urlencoded", + method="POST", + ) + pytest.raises(BadRequest, lambda: req.form) + data = ( b"--foo\r\nContent-Disposition: form-field; name=foo\r\n\r\n" b"Hello World\r\n"