handle chunked input that splits \r\n (#3066)

davidism · web-flow · commit 33bdb41b6c2d · 2025-11-26T18:22:02.000-08:00
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -6,6 +6,8 @@ Version 3.1.4
 Unreleased
 
 -   The debugger pin fails after 10 attempts instead of 11. :pr:`3020`
+-   The multipart form parser handles a ``\r\n`` sequence at a chunk boundary.
+    :issue:`3065`
 
 
 Version 3.1.3
diff --git a/src/werkzeug/sansio/multipart.py b/src/werkzeug/sansio/multipart.py
@@ -79,6 +79,9 @@ class MultipartDecoder:
 
     The part data is returned as available to allow the caller to save
     the data from memory to disk, if desired.
+
+    .. versionchanged:: 3.1.4
+        Handle chunks that split a``\r\n`` sequence.
     """
 
     def __init__(
@@ -283,6 +286,11 @@ def _parse_data(
                 data_end = del_index = self.last_newline(data[data_start:]) + data_start
             more_data = match is None
 
+        # Keep \r\n sequence intact rather than splitting across chunks.
+        if data_end > data_start and data[data_end - 1] == 0x0D:
+            data_end -= 1
+            del_index -= 1
+
         return bytes(data[data_start:data_end]), del_index, more_data
 
 
diff --git a/tests/sansio/test_multipart.py b/tests/sansio/test_multipart.py
@@ -85,7 +85,16 @@ def test_decoder_data_start_with_different_newline_positions(
     # We want to check up to data start event
     while not isinstance(events[-1], Data):
         events.append(decoder.next_event())
-    expected = data_start if data_end == b"" else data_start + b"\r\nBCDE"
+
+    expected = data_start
+
+    if data_end == b"":
+        # a split \r\n is deferred to the next event
+        if expected[-1] == 0x0D:
+            expected = expected[:-1]
+    else:
+        expected += b"\r\nBCDE"
+
     assert events == [
         Preamble(data=b""),
         File(
diff --git a/tests/test_formparser.py b/tests/test_formparser.py
@@ -152,6 +152,32 @@ def test_missing_multipart_boundary(self):
         )
         assert req.form == {}
 
+    def test_chunk_split_on_line_break_before_epilogue(self):
+        data = b"".join(
+            (
+                # exactly 64 bytes of header
+                b"--thirteenbytes\r\n",
+                b"Content-Disposition: form-data; name=tx3065\r\n\r\n",
+                # payload that fills 65535 bytes together with the header
+                b"\n".join([b"\r" * 31] * 2045 + [b"y" * 31]),
+                # This newline is split by the first chunk
+                b"\r\n",
+                # extra payload that also has the final newline split exactly
+                # at the chunk size.
+                b"\n".join([b"\r" * 31] * 2047 + [b"x" * 30]),
+                b"\r\n--thirteenbytes--",
+            )
+        )
+        req = Request.from_values(
+            input_stream=io.BytesIO(data),
+            content_length=len(data),
+            content_type="multipart/form-data; boundary=thirteenbytes",
+            method="POST",
+        )
+        assert len(req.form["tx3065"]) == (131072 - 64 - 1)
+        assert req.form["tx3065"][-1] == "x"
+        assert req.form["tx3065"][65470:65473] == "y\r\n"
+
     def test_parse_form_data_put_without_content(self):
         # A PUT without a Content-Type header returns empty data
 
