Opened 2 years ago

Closed 2 years ago

#19124 closed Bug (duplicate)

request.POST contains the raw_post_body as its first key

Reported by: sam@… Owned by: nobody
Component: HTTP handling Version: 1.4
Severity: Normal Keywords: http
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If I define a view like this:

from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def blabityblah(request):
    return HttpResponse(repr(request.POST))

And request it like this:

import requests
requests.post('/blabityblah', data=json.dumps({'abcd':'1234'}), headers={'content-type': 'application/json'})

I expect there to be no values in request.REQUEST however, this is what is returned:

<QueryDict: {u'{"abc": "1234"}': [u'']}>

This is broken for multiple reasons:

  1. any automated signing of the request using request.REQUEST will be completely broken, as most automated signing schemes use only request bodies encoded with application/x-www-form-urlencoded and the request.GET string (looking at you, oauth). in this case, the client may encode and sign the request properly, but django will not report the correct parameters
  2. confusing to any user trying to get at the POST data. they should be using request.raw_post_data and not request.POST - which should be blank

My suggestion is that request.POST should only contain the values from application/x-www-form-urlencoded and multipart/form-data

Change History (1)

comment:1 Changed 2 years ago by claudep

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

++++1, but duplicate of #5611

Note: See TracTickets for help on using tickets.
Back to Top