Opened 13 years ago
Closed 13 years ago
#19124 closed Bug (duplicate)
request.POST contains the raw_post_body as its first key
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | HTTP handling | Version: | 1.4 |
| Severity: | Normal | Keywords: | http |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If I define a view like this:
from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def blabityblah(request):
return HttpResponse(repr(request.POST))
And request it like this:
import requests
requests.post('/blabityblah', data=json.dumps({'abcd':'1234'}), headers={'content-type': 'application/json'})
I expect there to be no values in request.REQUEST however, this is what is returned:
<QueryDict: {u'{"abc": "1234"}': [u'']}>
This is broken for multiple reasons:
- any automated signing of the request using
request.REQUESTwill be completely broken, as most automated signing schemes use only request bodies encoded withapplication/x-www-form-urlencodedand the request.GET string (looking at you, oauth). in this case, the client may encode and sign the request properly, but django will not report the correct parameters - confusing to any user trying to get at the POST data. they should be using
request.raw_post_dataand notrequest.POST- which should be blank
My suggestion is that request.POST should only contain the values from application/x-www-form-urlencoded and multipart/form-data
Note:
See TracTickets
for help on using tickets.
++++1, but duplicate of #5611