Ticket #18004: 18004-multipartparser-r17813.diff
| File 18004-multipartparser-r17813.diff, 3.9 KB (added by , 13 years ago) |
|---|
-
django/http/multipartparser.py
147 147 transfer_encoding = meta_data.get('content-transfer-encoding') 148 148 if transfer_encoding is not None: 149 149 transfer_encoding = transfer_encoding[0].strip() 150 field_name = force_unicode(field_name, encoding, errors=' replace')150 field_name = force_unicode(field_name, encoding, errors='strict') 151 151 152 152 if item_type == FIELD: 153 153 # This is a post field, we can just set it in the post … … 161 161 data = field_stream.read() 162 162 163 163 self._post.appendlist(field_name, 164 force_unicode(data, encoding, errors=' replace'))164 force_unicode(data, encoding, errors='strict')) 165 165 elif item_type == FILE: 166 166 # This is a file, use the handler... 167 167 file_name = disposition.get('filename') 168 168 if not file_name: 169 169 continue 170 file_name = force_unicode(file_name, encoding, errors=' replace')170 file_name = force_unicode(file_name, encoding, errors='strict') 171 171 file_name = self.IE_sanitize(unescape_entities(file_name)) 172 172 173 173 content_type = meta_data.get('content-type', ('',))[0].strip() … … 243 243 # If it returns a file object, then set the files dict. 244 244 self._files.appendlist(force_unicode(old_field_name, 245 245 self._encoding, 246 errors=' replace'),246 errors='strict'), 247 247 file_obj) 248 248 break 249 249 -
tests/regressiontests/file_uploads/tests.py
13 13 from django.core.files.uploadedfile import SimpleUploadedFile 14 14 from django.http.multipartparser import MultiPartParser 15 15 from django.test import TestCase, client 16 from django.utils import simplejson, unittest16 from django.utils import encoding, simplejson, unittest 17 17 18 18 from . import uploadhandler 19 19 from .models import FileModel, temp_storage, UPLOAD_TO … … 104 104 105 105 self.assertEqual(response.status_code, 200) 106 106 107 def test_non_utf_post_data(self): 108 BIG5_STRING = u'test-0123456789_δΈζ.jpg' 109 110 tdir = tempfile.gettempdir() 111 112 # This file contains chinese symbols in the name. 113 file1 = open(os.path.join(tdir, BIG5_STRING.encode('big5')), 'w+b') 114 file1.write('b' * (2 ** 10)) 115 file1.seek(0) 116 117 self.assertRaises( 118 encoding.DjangoUnicodeDecodeError, 119 self.client.post, 120 '/file_uploads/unicode_name/', 121 {'file_unicode': file1} 122 ) 123 124 file1.close() 125 try: 126 os.unlink(file1.name) 127 except: 128 pass 129 130 self.assertRaises( 131 encoding.DjangoUnicodeDecodeError, 132 self.client.post, 133 '/file_uploads/unicode_name/', 134 {BIG5_STRING.encode('big5'): 'string data'} 135 ) 136 137 self.assertRaises( 138 encoding.DjangoUnicodeDecodeError, 139 self.client.post, 140 '/file_uploads/unicode_name/', 141 {'string data': BIG5_STRING.encode('big5')} 142 ) 143 107 144 def test_dangerous_file_names(self): 108 145 """Uploaded file names should be sanitized before ever reaching the view.""" 109 146 # This test simulates possible directory traversal attacks by a