Opened 14 years ago

Last modified 3 months ago

#15879 assigned Bug

multipart/form-data filename="" not handled as file

Reported by: j@… Owned by: Hridesh MG
Component: File uploads/storage Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

Django does not parse file uploads with empty filename as file objects in multipart/form-data requests.
This happens currently if you try to upload a Blob in Firefox 4 (https://bugzilla.mozilla.org/show_bug.cgi?id=649150)
Firefox sends this:

Content-Disposition: form-data; name="fieldname"; filename=""
Content-Type: content/type
DATA

Reading the related RFCs there is no mention that filename="" is not allowed and the existence of the filename parameter should be enough to treat it as a file.
looking at django/http/multipartparser.py
165ff

                    file_name = disposition.get('filename')
                    if not file_name:
                        continue

this would need to set a default filename instead of bailing out
(i.e. if file_name == : file_name = 'data.bin)

590:

            if params.get('filename'):

this would need to check

if 'filename' in params:

Attachments (2)

multipart_file_with_emptry_string_name.patch (951 bytes ) - added by j@… 14 years ago.
setting file_name to None instead of default value also works. with this patch django is able to handle Blob FormData send by Firefox 4.0
multipart_file_with_emptry_string_name.2.patch (1.1 KB ) - added by j@… 14 years ago.
skip file creation if filename is not set

Download all attachments as: .zip

Change History (8)

by j@…, 14 years ago

Attachment: multipart_file_with_emptry_string_name.patch added

setting file_name to None instead of default value also works. with this patch django is able to handle Blob FormData send by Firefox 4.0

comment:1 by Carl Meyer, 14 years ago

Has patch: set
Needs tests: set
Patch needs improvement: set
Triage Stage: UnreviewedAccepted

Patch doesn't look quite right, based on the description - if there is no filename parameter it would be None, and the current code would skip it (continue) but the new could would not.

by j@…, 14 years ago

Attachment: multipart_file_with_emptry_string_name.2.patch added

skip file creation if filename is not set

comment:2 by Aymeric Augustin, 13 years ago

UI/UX: unset

Change UI/UX from NULL to False.

comment:3 by Hridesh MG, 4 months ago

Needs tests: unset
Owner: changed from nobody to Hridesh MG
Status: newassigned

Can confirm that this is still reproducible, I've written the following test that can be added to tests/requests_tests.py

    def test_POST_multipart_with_empty_filename(self):
        payload = FakePayload(
            "\r\n".join(
                [
                    f"--{BOUNDARY}",
                    'Content-Disposition: form-data; name="File"; filename=""',
                    "Content-Type: application/octet-stream",
                    "",
                    "DATA",
                    f"--{BOUNDARY}--",
                ]
            )
        )
        request = WSGIRequest(
            {
                "REQUEST_METHOD": "POST",
                "CONTENT_TYPE": MULTIPART_CONTENT,
                "CONTENT_LENGTH": len(payload),
                "wsgi.input": payload,
            }
        )
        self.assertEqual(len(request.FILES), 1)
        self.assertIsInstance((request.FILES["File"]), InMemoryUploadedFile)
Last edited 4 months ago by Hridesh MG (previous) (diff)

comment:4 by Hridesh MG, 4 months ago

PR

comment:5 by Jacob Walls, 4 months ago

Patch needs improvement: unset

comment:6 by David Smith, 3 months ago

Patch needs improvement: set
Note: See TracTickets for help on using tickets.
Back to Top