{"id":1564,"library":"multipart","title":"Multipart Parser","description":"The `multipart` library (v1.3.1) provides a robust parser for `multipart/form-data` requests, commonly used in web applications for handling file uploads and complex form submissions. It supports both synchronous and asynchronous parsing, making it suitable for various web frameworks. The project is actively maintained with periodic security updates.","status":"active","version":"1.3.1","language":"en","source_language":"en","source_url":"https://github.com/defnull/multipart","tags":["http","parser","multipart","form-data","web"],"install":[{"cmd":"pip install multipart","lang":"bash","label":"Install latest version"}],"dependencies":[],"imports":[{"note":"For synchronous parsing of multipart/form-data.","symbol":"parse_form","correct":"from multipart import parse_form"},{"note":"For asynchronous parsing of multipart/form-data, typically used with async web frameworks.","symbol":"parse_form_async","correct":"from multipart import parse_form_async"},{"note":"For encoding Python data structures into multipart/form-data format.","symbol":"create_form","correct":"from multipart import create_form"}],"quickstart":{"code":"import io\nfrom multipart import parse_form\n\n# Simulate a multipart/form-data request body\nboundary = \"----WebKitFormBoundaryXYZ\"\nbody_data = f\"\"\"--{boundary}\nContent-Disposition: form-data; name=\"username\"\n\ntestuser\n--{boundary}\nContent-Disposition: form-data; name=\"filefield\"; filename=\"example.txt\"\nContent-Type: text/plain\n\nThis is a test file content.\n--{boundary}--\n\"\"\"\n\n# Prepare the input for parse_form\nbody_bytes = body_data.encode('utf-8')\ncontent_type = f\"multipart/form-data; boundary={boundary}\"\ncontent_length = len(body_bytes)\n\n# Create a file-like object (BytesIO for in-memory bytes)\nbody_stream = io.BytesIO(body_bytes)\n\n# Parse the form\nform, files = parse_form(body_stream, content_type, content_length)\n\n# Access parsed data\nprint(\"Form fields:\")\nfor name, value_list in form.items():\n    # Form fields can have multiple values, parse_form returns a list for each.\n    print(f\"  {name}: {', '.join(value.decode('utf-8') for value in value_list)}\")\n\nprint(\"\\nFiles:\")\nfor name, file_list in files.items():\n    for file_item in file_list:\n        print(f\"  Field Name: {file_item.field_name}\")\n        print(f\"  Filename: {file_item.filename}\")\n        print(f\"  Content Type: {file_item.content_type}\")\n        print(f\"  Content (first 50 chars): {file_item.file.read()[:50].decode('utf-8')}\")\n        file_item.file.close() # Crucial to close the file-like object","lang":"python","description":"This example demonstrates how to parse a `multipart/form-data` request body using `multipart.parse_form`. It simulates an HTTP request by creating an `io.BytesIO` object for the body and specifying `Content-Type` and `Content-Length` headers. The parsed data is returned as `form` (text fields) and `files` (file fields), which are then iterated over."},"warnings":[{"fix":"Update your call to `parse_form` to explicitly pass the input stream, content type, and content length: `form, files = parse_form(input_stream, content_type_header, content_length_header)`.","message":"The `parse_form` function signature changed significantly in versions 1.x compared to older 0.x releases. Previously, it might have directly accepted a WSGI `environ` dictionary. Current versions (1.0.0+) expect a file-like object (e.g., `environ['wsgi.input']`), the `Content-Type` header string, and the `Content-Length` integer.","severity":"breaking","affected_versions":"<1.0.0"},{"fix":"Upgrade to `multipart` version 1.3.1 or higher immediately to patch this critical security vulnerability. If you are on an older 1.x release, upgrade to the latest patch version available.","message":"Versions prior to 1.2.2 and 1.3.1 are vulnerable to a Denial of Service (DoS) attack via CPU exhaustion and excessive memory consumption when processing specially crafted multipart requests. This is tracked as `GHSA-p2m9-wcp5-6qw3`.","severity":"breaking","affected_versions":"<1.2.2, <1.3.1 (for 1.3.x branch)"},{"fix":"Always call `file_item.file.close()` after you are done reading from or processing the file content for each `file_item`.","message":"File-like objects returned for file fields in the `files` dictionary (e.g., `file_item.file`) are open streams. It is crucial to explicitly close these streams after processing their content to release system resources and avoid potential resource leaks, especially in high-traffic applications.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}