Opened 14 years ago

Last modified 4 weeks ago

#15879 assigned Bug

multipart/form-data filename="" not handled as file

Reported by: j@… Owned by: Hridesh MG
Component: File uploads/storage Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Django does not parse file uploads with empty filename as file objects in multipart/form-data requests.
This happens currently if you try to upload a Blob in Firefox 4 (https://bugzilla.mozilla.org/show_bug.cgi?id=649150)
Firefox sends this:

Content-Disposition: form-data; name="fieldname"; filename=""
Content-Type: content/type
DATA

Reading the related RFCs there is no mention that filename="" is not allowed and the existence of the filename parameter should be enough to treat it as a file.
looking at django/http/multipartparser.py
165ff

                    file_name = disposition.get('filename')
                    if not file_name:
                        continue

this would need to set a default filename instead of bailing out
(i.e. if file_name == : file_name = 'data.bin)

590:

            if params.get('filename'):

this would need to check

if 'filename' in params:

According to the ticket's flags, the next step(s) to move this issue forward are:

  • For anyone except the patch author to review the patch using the patch review checklist and either mark the ticket as "Ready for checkin" if everything looks good, or leave comments for improvement and mark the ticket as "Patch needs improvement".

Change History (7)

by j@…, 14 years ago

Attachment: multipart_file_with_emptry_string_name.patch added

setting file_name to None instead of default value also works. with this patch django is able to handle Blob FormData send by Firefox 4.0

comment:1 by Carl Meyer, 14 years ago

Has patch: set
Needs tests: set
Patch needs improvement: set
Triage Stage: UnreviewedAccepted

Patch doesn't look quite right, based on the description - if there is no filename parameter it would be None, and the current code would skip it (continue) but the new could would not.

by j@…, 14 years ago

Attachment: multipart_file_with_emptry_string_name.2.patch added

skip file creation if filename is not set

comment:2 by Aymeric Augustin, 13 years ago

UI/UX: unset

Change UI/UX from NULL to False.

comment:3 by Hridesh MG, 4 weeks ago

Needs tests: unset
Owner: changed from nobody to Hridesh MG
Status: newassigned

Can confirm that this is still reproducible, I've written the following test that can be added to tests/requests_tests.py

    def test_POST_multipart_with_empty_filename(self):
        payload = FakePayload(
            "\r\n".join(
                [
                    f"--{BOUNDARY}",
                    'Content-Disposition: form-data; name="File"; filename=""',
                    "Content-Type: application/octet-stream",
                    "",
                    "DATA",
                    f"--{BOUNDARY}--",
                ]
            )
        )
        request = WSGIRequest(
            {
                "REQUEST_METHOD": "POST",
                "CONTENT_TYPE": MULTIPART_CONTENT,
                "CONTENT_LENGTH": len(payload),
                "wsgi.input": payload,
            }
        )
        self.assertEqual(len(request.FILES), 1)
        self.assertIsInstance((request.FILES["File"]), InMemoryUploadedFile)
Last edited 4 weeks ago by Hridesh MG (previous) (diff)

comment:4 by Hridesh MG, 4 weeks ago

PR

comment:5 by Jacob Walls, 4 weeks ago

Patch needs improvement: unset
Note: See TracTickets for help on using tickets.
Back to Top