Handle Extended Header Parameters Specified in RFC # 2231
|Reported by:||Cea Stapleton||Owned by:||nobody|
|Severity:||Normal||Keywords:||multipart, rfc compliance, files|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This ticket originates with a bug reported in Requests, here but is actually a bug in all versions of Django (and Rack, and more) with the implementation of RFC #2231 section 4 (from 1997). This was discussed tangentially in a previous thread here but not addressed.
For example if someone tries to use a filename like
u'файл', this should be sent to the server as
filename*=utf-8''%D1%84%D0%B0%D0%B9%D0%BB. This is not properly parsed by Django and so it appears to not have a filename at all.
I don't advise immediately parsing and decoding the value because of attacks that are possible through utf-7 and other character sets.