[Django] #23047: Handle Extended Header Parameters Specified in RFC # 2231
Django
-------------------------------------+-------------------------------------
Reporter: ceaess | Owner: nobody
Type: Bug | Status: new
Component: File | Version: 1.6
uploads/storage | Keywords: multipart, rfc
Severity: Normal | compliance, files
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
This ticket originates with a bug reported in Requests,
[https://github.com/kennethreitz/requests/issues/2117 here] but is
actually a bug in all versions of Django (and Rack, and more) with the
implementation of [http://tools.ietf.org/html/rfc2231#section-4 RFC #2231]
section 4 (from 1997). This was discussed tangentially in a previous
thread [https://code.djangoproject.com/ticket/20147 here] but not
addressed.
For example if someone tries to use a filename like {{{u'файл'}}}, this
should be sent to the server as
{{{filename*=utf-8''%D1%84%D0%B0%D0%B9%D0%BB}}}. This is not properly
parsed by Django and so it appears to not have a filename at all.
I don't advise immediately parsing and decoding the value because of
attacks that are possible through utf-7 and other character sets.
--
Ticket URL: <https://code.djangoproject.com/ticket/23047>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: ceaess | Owner: nobody
Type: Bug | Status: new
Component: File | Version: 1.6
Severity: Normal | Triage Stage:
Keywords: multipart, rfc | Unreviewed
compliance, files | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by ceaess):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
Currently working on a patch now.
--
Ticket URL: <https://code.djangoproject.com/ticket/23047#comment:1>
Django
-------------------------------------+-------------------------------------
Reporter: ceaess | Owner: nobody
Component: File | Version: 1.6
uploads/storage | Resolution: duplicate
Severity: Normal | Triage Stage:
Keywords: multipart, rfc | Unreviewed
compliance, files | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => duplicate
Comment:
Duplicate of #22971. May I ask you to review the patch there? And maybe
tell us more about possible attacks.
--
Ticket URL: <https://code.djangoproject.com/ticket/23047#comment:2>
Django
-------------------------------------+-------------------------------------
Reporter: ceaess | Owner: nobody
Component: File | Version: 1.6
uploads/storage | Resolution: duplicate
Severity: Normal | Triage Stage:
Keywords: multipart, rfc | Unreviewed
compliance, files | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Comment (by ceaess):
Happy to review; a cursory look at the patch makes it seem incomplete but
will provide further commentary on the other ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/23047#comment:3>