Page MenuHomeVyOS Platform

http-api: error in MultiPart parser for FastAPI version >= 0.91.0
Closed, ResolvedPublicBUG

Description

The http-api REST endpoints support both form data and JSON format requests. Request parsing for FastAPI versions >= 0.91.0 (Starlette versions >= 0.24.0) throw an error in the case of form data, likely due to stricter validation, similar to the issue in T3616.

This is a blocker for update of FastAPI for a reported security vulnerability, hence is 'unbreak now'.

Details

Version
vyos-1.4
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

jestabro triaged this task as Urgent! priority.
jestabro created this object in space S1 VyOS Public.
jestabro renamed this task from http-api: error in MultipPart parser for FastAPI version >= 0.90.0 to http-api: error in MultiPart parser for FastAPI version >= 0.90.0.Apr 23 2023, 2:10 PM
jestabro renamed this task from http-api: error in MultiPart parser for FastAPI version >= 0.90.0 to http-api: error in MultiPart parser for FastAPI version >= 0.91.0.Apr 23 2023, 8:29 PM
jestabro updated the task description. (Show Details)

This has a simple fix: starlette commit c568b55d set the attribute

Request._form = None

to support use of Request.form() as a context manager. Since we override the Request class for backwards-compatibility support (translation) of form-data requests, we need to check for value, not existence, of the attribute. Adding this fix allows updating FastAPI past 0.91.0.

jestabro changed the task status from Open to In progress.Apr 23 2023, 8:35 PM
jestabro changed the task status from Unknown Status to Unknown Status.
jestabro moved this task from Open to Finished on the VyOS 1.4 Sagitta board.
jestabro changed the task status from Unknown Status to Resolved.Apr 27 2023, 2:09 PM
jestabro moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.3) board.