♻️ Refactor header option parser to use the standard library instead of a custom RegEx

[tiangolo]

♻️ Refactor header option parser to use the standard library instead of a custom RegEx

This uses the internal standard library module to parse MIME type (Content-Type) parameters instead of using a manual RegEx.

With inspiration from Baize: https://github.com/abersheeran/baize/blob/174c21a044cdc69b637f70030c0aad2dc8be5de1/baize/utils.py#L39-L76 but instead of copy-pasting utils from the standard library, using the suggested approach in the PEP, using another utility.

Ref: https://peps.python.org/pep-0594/#cgi

[darakian]

Hey @Kludex, random question but could I ask you to make a security advisory for python-multipart for the versions affected by this issue? We (github) have gotten asks over on github/advisory-database#3479 to add your package as affected. We've got docs on advisories here
https://docs.github.com/en/code-security/security-advisories
but tl;dr if you click into the security tab you can make a new advisory in there.

Given that the issue discussed in the PR above is fundamentally rooted in this project we think it would be ideal if you would be willing to make an advisory 🙇

[Kludex]

I can't create advisories in this repository. I'm not the owner.

[Kludex]

I'll email the owner, and ask to be transferred.

[darakian]

Thank you much and sorry to bug 🙇

[andrew-d]

Also, apologies on my part for being absent here; I'm coordinating with @Kludex to transfer this repository to the encode organization. I appreciate all the contributors that stepped in after I stopped being involved, and I'm excited to hand this off officially 😃

[Kludex]

@darakian I'll create the advisory here today.

Do you know if advisories can be deleted from other repositories e.g. FastAPI and Starlette?

[darakian]

@darakian I'll create the advisory here today.

Many thanks. I'll keep my eyes open for it 👀
Looks like we're already live with it GHSA-2jv5-9r88-3w3p

Do you know if advisories can be deleted from other repositories e.g. FastAPI and Starlette?

They cannot. The best thing to do with those (IMO) is to make them specifically about which versions bundled the affected versions of python-multipart.

[levrik]

It seems that this change broke parsing of extended syntax for UTF-8 file names (e.g. filename*=utf-8'') as defined in https://www.rfc-editor.org/rfc/rfc5987. Multipart uploads from a few customers to our API using this syntax stopped working after updating to 0.0.7.

[tiangolo]

@levrik yep, it was fixed in #79 and released as 0.0.8.

[levrik]

@tiangolo That wasn't clear from the release notes as they only described internals of Python's stdlib instead of the effects it has on the usage of this library. But thanks. Upgrading now!