[Django] #34742: calling a DELETE endpoint without a trailing slash does not thow RuntimeError in DEBUG mode
Django
RuntimeError in DEBUG mode
-------------------------------------------+------------------------
Reporter: pwnage101 | Owner: (none)
Type: Bug | Status: new
Component: Error reporting | Version: 4.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+------------------------
Current situation:
If DEBUG mode is enabled, and APPEND_SLASH is set to True, calling a
standard DRF-generated POST, PUT, or Patch endpoint without a trailing
slash will result in itentionally raising a RuntimeError in order to warn
developers that callers must be re-written to include a trailing slash or
else it the 301 redirect will convert the request into a GET and clear the
request payload:
The problem:
The linked code doesn't also do the same for DELETE, so DELETE calls
missing trailing slashes are silently converted to GET calls in
development environments which could result in uncaught bugs in
production.
I proposed a simple fix: https://github.com/django/django/pull/17072/files
--
Ticket URL: <https://code.djangoproject.com/ticket/34742>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
RuntimeError in DEBUG mode
Reporter: pwnage101 | Owner: (none)
Type: Bug | Status: new
Component: Error reporting | Version: 4.2
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by pwnage101:
Old description:
> Current situation:
>
> If DEBUG mode is enabled, and APPEND_SLASH is set to True, calling a
> standard DRF-generated POST, PUT, or Patch endpoint without a trailing
> slash will result in itentionally raising a RuntimeError in order to warn
> developers that callers must be re-written to include a trailing slash or
> else it the 301 redirect will convert the request into a GET and clear
> the request payload:
>
> https://github.com/pwnage101/django/blob/fbac2a4dd846b52c4f379eacb5bab654fe9540cc/django/middleware/common.py#L86
>
> The problem:
>
> The linked code doesn't also do the same for DELETE, so DELETE calls
> missing trailing slashes are silently converted to GET calls in
> development environments which could result in uncaught bugs in
> production.
>
> I proposed a simple fix:
> https://github.com/django/django/pull/17072/files
New description:
If DEBUG mode is enabled, and APPEND_SLASH is set to True, calling a
standard DRF-generated POST, PUT, or PATCH endpoint without a trailing
slash will result in intentionally raising a RuntimeError in order to warn
developers that API clients should be fixed to include a trailing slash or
else the 301 redirect will silently convert the request into a GET and
clear the request payload:
The problem:
The above linked code doesn't also do the same for DELETE, so DELETE calls
missing trailing slashes are silently converted to GET calls in
development environments which could result in uncaught bugs in
production.
I proposed a simple fix: https://github.com/django/django/pull/17072/files
--
--
Ticket URL: <https://code.djangoproject.com/ticket/34742#comment:1>
Django
RuntimeError in DEBUG mode
Reporter: pwnage101 | Owner: pwnage101
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Simon Charette):
* owner: (none) => pwnage101
* status: new => assigned
* component: Error reporting => HTTP handling
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/34742#comment:2>
Django
RuntimeError in DEBUG mode
-------------------------------+-------------------------------------
Reporter: pwnage101 | Owner: pwnage101
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+-------------------------------------
Changes (by Simon Charette):
* needs_tests: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/34742#comment:3>
Django
RuntimeError in DEBUG mode
-------------------------------+-------------------------------------
Reporter: pwnage101 | Owner: pwnage101
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+-------------------------------------
Comment (by Simon Charette):
Accepting this ticket as it's coherent with #24145
(5b74134f27eabf92870e1c5e81f9e4999f113eab).
See `tests/middleware/tests.py` to add an assertion to
`test_append_slash_no_redirect_on_POST_in_DEBUG` Troy.
--
Ticket URL: <https://code.djangoproject.com/ticket/34742#comment:4>
Django
RuntimeError in DEBUG mode
Reporter: Troy Sankey | Owner: Avaneesh Kumar
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Avaneesh Kumar):
* owner: Troy Sankey => Avaneesh Kumar
--
Ticket URL: <https://code.djangoproject.com/ticket/34742#comment:5>
Django
RuntimeError in DEBUG mode
Reporter: Troy Sankey | Owner: Avaneesh
| Kumar
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Avaneesh Kumar):
* needs_tests: 1 => 0
* stage: Accepted => Ready for checkin
Comment:
I have added an assertion to `test_append_slash_no_redirect_in_DEBUG` in
`tests/middleware/tests.py` which would check for DELETE request along
with POST, PUT, and PATCH.
The pull request can be found here:
https://github.com/django/django/pull/17584
--
Ticket URL: <https://code.djangoproject.com/ticket/34742#comment:6>
Django
RuntimeError in DEBUG mode
Reporter: Troy Sankey | Owner: Avaneesh Kumar
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* stage: Ready for checkin => Accepted
Comment:
Please don't mark your own PRs as
[https://docs.djangoproject.com/en/stable/internals/contributing/triaging-
tickets/#ready-for-checkin Ready for checkin].
--
Ticket URL: <https://code.djangoproject.com/ticket/34742#comment:7>
Django
RuntimeError in DEBUG mode
Reporter: Troy Sankey | Owner: Avaneesh
| Kumar
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/34742#comment:8>
Django
RuntimeError in DEBUG mode
-------------------------------------+-------------------------------------
Reporter: Troy Sankey | Owner: Avaneesh
| Kumar
Component: HTTP handling | Version: 4.2
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"705b1702bda78e5d3f63d726efe01f87095d9e96" 705b170]:
{{{
#!CommitTicketReference repository=""
revision="705b1702bda78e5d3f63d726efe01f87095d9e96"
Fixed #34742 -- Made CommonMiddleware raise APPEND_SLASH RuntimeError on
DELETE requests.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34742#comment:9>