Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#23047 closed Bug (duplicate)

Handle Extended Header Parameters Specified in RFC # 2231

Reported by: Cea Stapleton Owned by: nobody
Component: File uploads/storage Version: 1.6
Severity: Normal Keywords: multipart, rfc compliance, files
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


This ticket originates with a bug reported in Requests, here but is actually a bug in all versions of Django (and Rack, and more) with the implementation of RFC #2231 section 4 (from 1997). This was discussed tangentially in a previous thread here but not addressed.

For example if someone tries to use a filename like u'файл', this should be sent to the server as filename*=utf-8''%D1%84%D0%B0%D0%B9%D0%BB. This is not properly parsed by Django and so it appears to not have a filename at all.

I don't advise immediately parsing and decoding the value because of attacks that are possible through utf-7 and other character sets.

Change History (3)

comment:1 Changed 4 years ago by Cea Stapleton

Currently working on a patch now.

comment:2 Changed 4 years ago by Claude Paroz

Resolution: duplicate
Status: newclosed

Duplicate of #22971. May I ask you to review the patch there? And maybe tell us more about possible attacks.

comment:3 Changed 4 years ago by Cea Stapleton

Happy to review; a cursory look at the patch makes it seem incomplete but will provide further commentary on the other ticket.

Note: See TracTickets for help on using tickets.
Back to Top