This causes an "500 Internal Server Error", which is supposed to be "400
Bad Request".
Traceback with sensitive information removed:
{{{
Traceback (most recent call last):
...
File ".../site-packages/django/core/handlers/wsgi.py", line 111, in
_get_post
self._load_post_and_files()
File ".../site-packages/django/http/request.py", line 310, in
_load_post_and_files
self._post, self._files = self.parse_file_upload(self.META, data)
File ".../site-packages/django/http/request.py", line 268, in
parse_file_upload
parser = MultiPartParser(META, post_data, self.upload_handlers,
self.encoding)
File ".../site-packages/django/http/multipartparser.py", line 72, in
__init__
raise MultiPartParserError('Invalid boundary in multipart: %s' %
boundary.decode())
AttributeError: 'NoneType' object has no attribute 'decode'
}}}
Possible fix:
Replace `boundary.decode()` at `django/http/multipartparser.py:72` with
`force_text(boundary, errors="replace")`
--
Ticket URL: <https://code.djangoproject.com/ticket/30227>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* has_patch: 0 => 1
* stage: Unreviewed => Accepted
Comment:
[https://github.com/django/django/pull/11042 PR]
I didn't include `errors="replace"` -- can you give a case where that's
needed?
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:1>
Comment (by Simon Charette):
Tim, I think that passing an invalid UTF-8 byte sequence as boundary could
cause `force_str` to crash with `UnicodeDecodeError`
e.g. `boundary = u'timgràhàm'.encode('latin').decode('utf-8')`
But that might crash even sooner.
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:2>
Comment (by Tim Graham):
Yes, it crashes at `content_type.encode('ascii')`. I added a second commit
with a helpful message for that case.
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:3>
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:4>
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"2ed2acf872b87d1149da98ceeb96997f23258e83" 2ed2acf8]:
{{{
#!CommitTicketReference repository=""
revision="2ed2acf872b87d1149da98ceeb96997f23258e83"
Fixed #30227 -- Fixed crash on request without boundary in Content-Type.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:5>
Comment (by Tim Graham <timograham@…>):
In [changeset:"8ec7ded3706fe66bf307ed339eb852d73f6d10d0" 8ec7ded3]:
{{{
#!CommitTicketReference repository=""
revision="8ec7ded3706fe66bf307ed339eb852d73f6d10d0"
Refs #30227 -- Added helpful message for non-ASCII Content-Type in
mulitpart request.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:6>