[Django] #26325: File upload crashes when presented with filename ending with a backslash
Django
--------------------------------------+--------------------
Reporter: jmb202 | Owner: nobody
Type: Uncategorized | Status: new
Component: File uploads/storage | Version: 1.8
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Easy pickings: 0 | UI/UX: 0
--------------------------------------+--------------------
The multipart parser in Django 1.8.10 will crash if the following
conditions are met:
* the total POST body is small enough to cause the
MemoryFileUploadHandler to be active
* the name of the file provided in the multipart header ends with a
backslash
The following traceback is obtained:
{{{
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py",
line 125, in get_response
File "/usr/lib/python2.7/dist-packages/django/middleware/csrf.py", line
170, in process_view
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
File "/usr/lib/python2.7/dist-packages/django/core/handlers/wsgi.py",
line 146, in _get_post
self._load_post_and_files()
File "/usr/lib/python2.7/dist-packages/django/http/request.py", line
215, in _load_post_and_files
self._post, self._files = self.parse_file_upload(self.META, data)
File "/usr/lib/python2.7/dist-packages/django/http/request.py", line
180, in parse_file_upload
return parser.parse()
File "/usr/lib/python2.7/dist-packages/django/http/multipartparser.py",
line 145, in parse
self.handle_file_complete(old_field_name, counters)
File "/usr/lib/python2.7/dist-packages/django/http/multipartparser.py",
line 255, in handle_file_complete
file_obj = handler.file_complete(counters[i])
File "/usr/lib/python2.7/dist-
packages/django/core/files/uploadhandler.py", line 141, in file_complete
self.file.seek(0)
AttributeError: 'TemporaryFileUploadHandler' object has no attribute
'file'
}}}
I have attached a patch containing a proposed fix and regression test.
--
Ticket URL: <https://code.djangoproject.com/ticket/26325>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: jmb202 | Owner: nobody
Type: Uncategorized | Status: new
Component: File uploads/storage | Version: 1.8
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Easy pickings: 0
UI/UX: 0 |
Changes (by jmb202):
* Attachment "fix-multipart-file-upload.diff" added.
Proposed fix
Django
Reporter: jmb202 | Owner: nobody
Type: Bug | Status: new
Component: File uploads/storage | Version: 1.8
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: => 0
* stage: Unreviewed => Accepted
* type: Uncategorized => Bug
* needs_tests: => 0
* needs_docs: => 0
Comment:
Could you send the patch as a pull request to the master branch?
--
Ticket URL: <https://code.djangoproject.com/ticket/26325#comment:1>
Django
Reporter: jmb202 | Owner: nobody
Type: Bug | Status: new
Component: File uploads/storage | Version: 1.8
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by jmb202):
Sure. You can find it here: https://github.com/django/django/pull/6251
--
Ticket URL: <https://code.djangoproject.com/ticket/26325#comment:2>
Django
Reporter: jmb202 | Owner: nobody
Type: Bug | Status: closed
Component: File uploads/storage | Version: 1.8
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Changes (by Tim Graham <timograham@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"4b129ac81f4fa38004950d0b307f81d1e9b44af8" 4b129ac]:
{{{
#!CommitTicketReference repository=""
revision="4b129ac81f4fa38004950d0b307f81d1e9b44af8"
Fixed #26325 -- Made MultiPartParser ignore filenames that normalize to an
empty string.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26325#comment:3>
Django
Reporter: jmb202 | Owner: nobody
Type: Bug | Status: closed
Component: File uploads/storage | Version: 1.8
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"809eb5ddeeca388b2a1d339f7d5ee1f29119ecea" 809eb5d]:
{{{
#!CommitTicketReference repository=""
revision="809eb5ddeeca388b2a1d339f7d5ee1f29119ecea"
[1.9.x] Fixed #26325 -- Made MultiPartParser ignore filenames that
normalize to an empty string.
Backport of 4b129ac81f4fa38004950d0b307f81d1e9b44af8 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26325#comment:4>
Django
Reporter: jmb202 | Owner: nobody
Type: Bug | Status: closed
Component: File uploads/storage | Version: 1.8
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"a5e9ae9ad5170942092b0ed4db0eb6e9de7f41db" a5e9ae9a]:
{{{
#!CommitTicketReference repository=""
revision="a5e9ae9ad5170942092b0ed4db0eb6e9de7f41db"
[1.8.x] Fixed #26325 -- Made MultiPartParser ignore filenames that
normalize to an empty string.
Backport of 4b129ac81f4fa38004950d0b307f81d1e9b44af8 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26325#comment:5>