[Django] #36833: HttpRequest.accepted_types incorrectly splits Accept header on commas inside quoted parameter values
6 views
Skip to first unread message
Django
Dec 27, 2025, 9:08:45 AM12/27/25
to django-...@googlegroups.com
#36833: HttpRequest.accepted_types incorrectly splits Accept header on commas
inside quoted parameter values
-----------------------------------------+------------------------------
Reporter: Naveed Qadir | Owner: Naveed Qadir
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------------
The `accepted_types` property in `HttpRequest` uses `str.split(",")` to
parse the Accept header, which incorrectly splits on commas that appear
inside quoted parameter values.
== Example ==
{{{#!python
# Accept header with quoted parameter containing comma
header = 'text/plain; param="a,b", application/json'
# Current behavior (WRONG):
header.split(",")
# Returns: ['text/plain; param="a', 'b"', ' application/json']
# 3 parts - comma inside quotes was incorrectly treated as separator
# Expected behavior (per RFC 7231):
# Should return 2 media types:
# 1. text/plain; param="a,b"
# 2. application/json
}}}
== RFC Reference ==
RFC 7231 Section 5.3.2 specifies that media-type parameters can contain
quoted-string values, and RFC 7230 Section 3.2.6 allows commas within
quoted strings.
== Proposed Fix ==
Add a `split_header_words()` helper function to `django/utils/http.py`
that splits on commas while respecting quoted strings, similar to how
`_parseparam()` handles semicolons.
A patch with tests is available.
--
Ticket URL: <https://code.djangoproject.com/ticket/36833>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
inside quoted parameter values
-----------------------------------------+------------------------------
Reporter: Naveed Qadir | Owner: Naveed Qadir
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------------
The `accepted_types` property in `HttpRequest` uses `str.split(",")` to
parse the Accept header, which incorrectly splits on commas that appear
inside quoted parameter values.
== Example ==
{{{#!python
# Accept header with quoted parameter containing comma
header = 'text/plain; param="a,b", application/json'
# Current behavior (WRONG):
header.split(",")
# Returns: ['text/plain; param="a', 'b"', ' application/json']
# 3 parts - comma inside quotes was incorrectly treated as separator
# Expected behavior (per RFC 7231):
# Should return 2 media types:
# 1. text/plain; param="a,b"
# 2. application/json
}}}
== RFC Reference ==
RFC 7231 Section 5.3.2 specifies that media-type parameters can contain
quoted-string values, and RFC 7230 Section 3.2.6 allows commas within
quoted strings.
== Proposed Fix ==
Add a `split_header_words()` helper function to `django/utils/http.py`
that splits on commas while respecting quoted strings, similar to how
`_parseparam()` handles semicolons.
A patch with tests is available.
--
Ticket URL: <https://code.djangoproject.com/ticket/36833>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Dec 29, 2025, 2:44:17 PM12/29/25
to django-...@googlegroups.com
#36833: HttpRequest.accepted_types incorrectly splits Accept header on commas
inside quoted parameter values
-------------------------------------+-------------------------------------
inside quoted parameter values
Reporter: Naveed Qadir | Owner: Naveed
| Qadir
Type: Bug | Status: closed
| Qadir
Component: HTTP handling | Version: dev
Severity: Normal | Resolution: needsinfo
Keywords: HTTP_ACCEPT, accept | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* keywords: => HTTP_ACCEPT, accept
* resolution: => needsinfo
* status: assigned => closed
Comment:
Do you have an example of real-world HTTP traffic that sends params like
that for the accept header?
Looking at the [https://github.com/django/django/pull/20472 provided
patch], this is too much complexity for the benefit. I'd also expect to
block this on a resolution for #35440, with the hope that we can leverage
some existing pattern for param parsing using python's stdlib.
--
Ticket URL: <https://code.djangoproject.com/ticket/36833#comment:1>
Django
Dec 29, 2025, 3:04:11 PM12/29/25
to django-...@googlegroups.com
#36833: HttpRequest.accepted_types incorrectly splits Accept header on commas
inside quoted parameter values
-------------------------------------+-------------------------------------
Reporter: Naveed Qadir | Owner: Naveed
| Qadir
Type: Bug | Status: closed
Component: HTTP handling | Version: dev
Severity: Normal | Resolution: needsinfo
Keywords: HTTP_ACCEPT, accept | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Naveed Qadir):
inside quoted parameter values
-------------------------------------+-------------------------------------
Reporter: Naveed Qadir | Owner: Naveed
| Qadir
Type: Bug | Status: closed
Component: HTTP handling | Version: dev
Severity: Normal | Resolution: needsinfo
Keywords: HTTP_ACCEPT, accept | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Thanks for the feedback and for pointing me to #35440 — I agree that
reusing a stdlib-based approach would be preferable if we can do so
without performance regressions.
Regarding real-world usage: I’m not aware of common browsers or clients
emitting Accept headers with quoted parameters containing commas or
escaped quotes. The change was motivated by spec-permitted behavior and to
avoid incorrect parsing when such headers do appear, but I agree this is
rare in practice.
Given the complexity concerns and the direction of #35440, I’m happy to
defer this and continue the discussion there.
Replying to [comment:1 Jacob Walls]:
> Do you have an example of real-world HTTP traffic that sends params like
that for the accept header?
>
> Looking at the [https://github.com/django/django/pull/20472 provided
patch], this is too much complexity for the benefit. I'd also expect to
block this on a resolution for #35440, with the hope that we can leverage
some existing pattern for param parsing using python's stdlib.
--
Ticket URL: <https://code.djangoproject.com/ticket/36833#comment:2>
that for the accept header?
>
> Looking at the [https://github.com/django/django/pull/20472 provided
patch], this is too much complexity for the benefit. I'd also expect to
block this on a resolution for #35440, with the hope that we can leverage
some existing pattern for param parsing using python's stdlib.
--
Reply all
Reply to author
Forward
0 new messages