Opened 11 years ago

Closed 11 years ago

#19124 closed Bug (duplicate)

request.POST contains the raw_post_body as its first key

Reported by: sam@… Owned by: nobody
Component: HTTP handling Version: 1.4
Severity: Normal Keywords: http
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


If I define a view like this:

from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt

def blabityblah(request):
    return HttpResponse(repr(request.POST))

And request it like this:

import requests'/blabityblah', data=json.dumps({'abcd':'1234'}), headers={'content-type': 'application/json'})

I expect there to be no values in request.REQUEST however, this is what is returned:

<QueryDict: {u'{"abc": "1234"}': [u'']}>

This is broken for multiple reasons:

  1. any automated signing of the request using request.REQUEST will be completely broken, as most automated signing schemes use only request bodies encoded with application/x-www-form-urlencoded and the request.GET string (looking at you, oauth). in this case, the client may encode and sign the request properly, but django will not report the correct parameters
  2. confusing to any user trying to get at the POST data. they should be using request.raw_post_data and not request.POST - which should be blank

My suggestion is that request.POST should only contain the values from application/x-www-form-urlencoded and multipart/form-data

Change History (1)

comment:1 Changed 11 years ago by Claude Paroz

Resolution: duplicate
Status: newclosed

++++1, but duplicate of #5611

Note: See TracTickets for help on using tickets.
Back to Top