Remove trust_x_headers

jhnstrk · jhnstrk · commit d6476c2b9205 · 2025-01-21T20:33:52.000+01:00
Removes the trust_x_headers option for
create_form_parser and associated tests.
diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
@@ -1241,7 +1241,7 @@ def data_callback(name: CallbackName, end_i: int, remaining: bool = False) -> No
             elif state == MultipartState.HEADER_VALUE_ALMOST_DONE:
                 # The last character should be a LF.  If not, it's an error.
                 if c != LF:
-                    msg = "Did not find LF character at end of header " "(found %r)" % (c,)
+                    msg = "Did not find LF character at end of header (found %r)" % (c,)
                     self.logger.warning(msg)
                     e = MultipartParseError(msg)
                     e.offset = i
@@ -1783,7 +1783,6 @@ def create_form_parser(
     headers: dict[str, bytes],
     on_field: OnFieldCallback | None,
     on_file: OnFileCallback | None,
-    trust_x_headers: bool = False,
     config: dict[Any, Any] = {},
 ) -> FormParser:
     """This function is a helper function to aid in creating a FormParser
@@ -1796,8 +1795,6 @@ def create_form_parser(
         headers: A dictionary-like object of HTTP headers.  The only required header is Content-Type.
         on_field: Callback to call with each parsed field.
         on_file: Callback to call with each parsed file.
-        trust_x_headers: Whether or not to trust information received from certain X-Headers - for example, the file
-            name from X-File-Name.
         config: Configuration variables to pass to the FormParser.
     """
     content_type: str | bytes | None = headers.get("Content-Type")
@@ -1813,14 +1810,8 @@ def create_form_parser(
     # We need content_type to be a string, not a bytes object.
     content_type = content_type.decode("latin-1")
 
-    # File names are optional.
-    if trust_x_headers:
-        file_name = headers.get("X-File-Name")
-    else:
-        file_name = None
-
     # Instantiate a form parser.
-    form_parser = FormParser(content_type, on_field, on_file, boundary=boundary, file_name=file_name, config=config)
+    form_parser = FormParser(content_type, on_field, on_file, boundary=boundary, config=config)
 
     # Return our parser.
     return form_parser
diff --git a/tests/test_multipart.py b/tests/test_multipart.py
@@ -1391,24 +1391,6 @@ def test_parse_form(self) -> None:
         # 15 - i.e. all data is written.
         self.assertEqual(on_file.call_args[0][0].size, 15)
 
-    @parametrize("trust_x_headers", [True, False])
-    def test_parse_form_trust_x_false(self, trust_x_headers: bool) -> None:
-        on_field = Mock()
-        on_file = Mock()
-
-        headers = {"Content-Type": b"application/octet-stream", "X-File-Name": b"foo.txt"}
-        parser = create_form_parser(headers, on_field, on_file, trust_x_headers=trust_x_headers)
-        parser.write(b"123456789012345")
-        parser.finalize()
-
-        assert on_file.call_count == 1
-
-        # The first argument (a File Object) name should come from the X header only if allowed.
-        if trust_x_headers:
-            self.assertEqual(on_file.call_args[0][0].file_name, b"foo.txt")
-        else:
-            self.assertEqual(on_file.call_args[0][0].file_name, None)
-
     def test_parse_form_content_length(self) -> None:
         files: list[FileProtocol] = []
 
