#19124 closed Bug (duplicate)

request.POST contains the raw_post_body as its first key

Reported by: sam@… Owned by: nobody
Component: HTTP handling Version: 1.4
Severity: Normal Keywords: http
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


If I define a view like this:

from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt

def blabityblah(request):
    return HttpResponse(repr(request.POST))

And request it like this:

import requests'/blabityblah', data=json.dumps({'abcd':'1234'}), headers={'content-type': 'application/json'})

I expect there to be no values in request.REQUEST however, this is what is returned:

<QueryDict: {u'{"abc": "1234"}': [u'']}>

This is broken for multiple reasons:

  1. any automated signing of the request using request.REQUEST will be completely broken, as most automated signing schemes use only request bodies encoded with application/x-www-form-urlencoded and the request.GET string (looking at you, oauth). in this case, the client may encode and sign the request properly, but django will not report the correct parameters
  2. confusing to any user trying to get at the POST data. they should be using request.raw_post_data and not request.POST - which should be blank

My suggestion is that request.POST should only contain the values from application/x-www-form-urlencoded and multipart/form-data

Attachments (0)

Change History (1)

comment:1 Changed 21 months ago by claudep

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

++++1, but duplicate of #5611

Add Comment

Modify Ticket

Change Properties
<Author field>
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.