From: Marcel Hellkamp <marc@gsites.de>
Subject: JSON content-type not restrictive enough, https://github.com/defnull/bottle/issues/616
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746322
Origin: vendor
Forwarded: no
diff --git a/bottle.py b/bottle.py
index 9c90553..3f4f0de 100644
--- a/bottle.py
+++ b/bottle.py
@@ -985,7 +985,8 @@
             property holds the parsed content of the request body. Only requests
             smaller than :attr:`MEMFILE_MAX` are processed to avoid memory
             exhaustion. '''
-        if 'application/json' in self.environ.get('CONTENT_TYPE', '') \
+        ctype = self.environ.get('CONTENT_TYPE', '').lower().split(';')[0]
+        if ctype == 'application/json' \
         and 0 < self.content_length < self.MEMFILE_MAX:
             return json_loads(self.body.read(self.MEMFILE_MAX))
         return None
 
diff --git a/test/test_environ.py b/test/test_environ.py
index 517048d..b693e83 100755
--- a/test/test_environ.py
+++ b/test/test_environ.py
@@ -385,6 +385,15 @@ class TestRequest(unittest.TestCase):
         e['CONTENT_LENGTH'] = str(len(json_dumps(test)))
         self.assertEqual(BaseRequest(e).json, test)
 
+    def test_json_forged_header_issue616(self):
+        test = dict(a=5, b='test', c=[1,2,3])
+        e = {'CONTENT_TYPE': 'text/plain;application/json'}
+        wsgiref.util.setup_testing_defaults(e)
+        e['wsgi.input'].write(tob(json_dumps(test)))
+        e['wsgi.input'].seek(0)
+        e['CONTENT_LENGTH'] = str(len(json_dumps(test)))
+        self.assertEqual(BaseRequest(e).json, None)
+
     def test_isajax(self):
         e = {}
         wsgiref.util.setup_testing_defaults(e)
