mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-09-10 02:59:34 +00:00
Code Issues 32 Releases Wiki Activity

Refs #36520 -- Ensured only the header value is passed to parse_header_parameters for multipart requests.

Browse Source 
Header parsing should apply only to the header value. The previous
implementation happened to work but relied on unintended behavior.
This commit is contained in:
Jake Howard 2025-08-20 16:04:48 +01:00 committed by nessita
parent c93dddf659
commit 41ff30f6f9
2 changed files with 31 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
django/http/multipartparser.py
View File

@ -721,11 +721,10 @@ def parse_boundary_stream(stream, max_header_size):
# Eliminate blank lines
for line in header.split(b"\r\n"):
# This terminology ("main value" and "dictionary of
# parameters") is from the Python docs.
try:
main_value_pair, params = parse_header_parameters(line.decode())
name, value = main_value_pair.split(":", 1)
header_name, value_and_params = line.decode().split(":", 1)
name = header_name.lower().rstrip(" ")
value, params = parse_header_parameters(value_and_params.lstrip(" "))
params = {k: v.encode() for k, v in params.items()}
except ValueError: # Invalid header.
continue

28
tests/requests_tests/tests.py
View File

@ -450,6 +450,34 @@ class RequestsTests(SimpleTestCase):
with self.assertRaises(RawPostDataException):
request.body
def test_malformed_multipart_header(self):
for header in [
'Content-Disposition : form-data; name="name"',
'Content-Disposition:form-data; name="name"',
'Content-Disposition :form-data; name="name"',
]:
with self.subTest(header):
payload = FakePayload(
"\r\n".join(
[
"--boundary",
header,
"",
"value",
"--boundary--",
]
)
)
request = WSGIRequest(
{
"REQUEST_METHOD": "POST",
"CONTENT_TYPE": "multipart/form-data; boundary=boundary",
"CONTENT_LENGTH": len(payload),
"wsgi.input": payload,
}
)
self.assertEqual(request.POST, {"name": ["value"]})
def test_body_after_POST_multipart_related(self):
"""
Reading body after parsing multipart that isn't form-data is allowed