[Django] #30227: POST "multipart/form-data" without "boundary" causes AttributeError
Django
-------------------------------------+-------------------------------------
Reporter: | Owner: nobody
chenzhuoyu |
Type: Bug | Status: new
Component: HTTP | Version: 2.1
handling |
Severity: Normal | Keywords: multipart, boundary
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
`curl -sv http://example.com/my_api/ -XPOST -H 'Content-Type: multipart
/form-data'`
This causes an "500 Internal Server Error", which is supposed to be "400
Bad Request".
Traceback with sensitive information removed:
{{{
Traceback (most recent call last):
...
File ".../site-packages/django/core/handlers/wsgi.py", line 111, in
_get_post
self._load_post_and_files()
File ".../site-packages/django/http/request.py", line 310, in
_load_post_and_files
self._post, self._files = self.parse_file_upload(self.META, data)
File ".../site-packages/django/http/request.py", line 268, in
parse_file_upload
parser = MultiPartParser(META, post_data, self.upload_handlers,
self.encoding)
File ".../site-packages/django/http/multipartparser.py", line 72, in
__init__
raise MultiPartParserError('Invalid boundary in multipart: %s' %
boundary.decode())
AttributeError: 'NoneType' object has no attribute 'decode'
}}}
Possible fix:
Replace `boundary.decode()` at `django/http/multipartparser.py:72` with
`force_text(boundary, errors="replace")`
--
Ticket URL: <https://code.djangoproject.com/ticket/30227>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+------------------------------------
Type: Bug | Status: new
Component: HTTP handling | Version: 2.1
Severity: Normal | Resolution:
Keywords: multipart, boundary | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
* has_patch: 0 => 1
* stage: Unreviewed => Accepted
Comment:
[https://github.com/django/django/pull/11042 PR]
I didn't include `errors="replace"` -- can you give a case where that's
needed?
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:1>
Django
Reporter: Oxygen | Owner: nobody
Component: HTTP handling | Version: 2.1
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
Comment (by Simon Charette):
Tim, I think that passing an invalid UTF-8 byte sequence as boundary could
cause `force_str` to crash with `UnicodeDecodeError`
e.g. `boundary = u'timgràhàm'.encode('latin').decode('utf-8')`
But that might crash even sooner.
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:2>
Django
Reporter: Oxygen | Owner: nobody
Component: HTTP handling | Version: 2.1
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
Comment (by Tim Graham):
Yes, it crashes at `content_type.encode('ascii')`. I added a second commit
with a helpful message for that case.
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:3>
Django
-------------------------------------+-------------------------------------
Type: Bug | Status: new
Component: HTTP handling | Version: 2.1
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:4>
Django
-------------------------------------+-------------------------------------
Type: Bug | Status: closed
Component: HTTP handling | Version: 2.1
Keywords: multipart, boundary | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"2ed2acf872b87d1149da98ceeb96997f23258e83" 2ed2acf8]:
{{{
#!CommitTicketReference repository=""
revision="2ed2acf872b87d1149da98ceeb96997f23258e83"
Fixed #30227 -- Fixed crash on request without boundary in Content-Type.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:5>
Django
-------------------------------------+-------------------------------------
Type: Bug | Status: closed
Component: HTTP handling | Version: 2.1
Severity: Normal | Resolution: fixed
Keywords: multipart, boundary | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Tim Graham <timograham@…>):
In [changeset:"8ec7ded3706fe66bf307ed339eb852d73f6d10d0" 8ec7ded3]:
{{{
#!CommitTicketReference repository=""
revision="8ec7ded3706fe66bf307ed339eb852d73f6d10d0"
Refs #30227 -- Added helpful message for non-ASCII Content-Type in
mulitpart request.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30227#comment:6>