#23047 closed Bug (duplicate)
Handle Extended Header Parameters Specified in RFC # 2231
| Reported by: | Cea Stapleton | Owned by: | nobody |
|---|---|---|---|
| Component: | File uploads/storage | Version: | 1.6 |
| Severity: | Normal | Keywords: | multipart, rfc compliance, files |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This ticket originates with a bug reported in Requests, here but is actually a bug in all versions of Django (and Rack, and more) with the implementation of RFC #2231 section 4 (from 1997). This was discussed tangentially in a previous thread here but not addressed.
For example if someone tries to use a filename like u'файл', this should be sent to the server as filename*=utf-8''%D1%84%D0%B0%D0%B9%D0%BB. This is not properly parsed by Django and so it appears to not have a filename at all.
I don't advise immediately parsing and decoding the value because of attacks that are possible through utf-7 and other character sets.
Change History (3)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
Duplicate of #22971. May I ask you to review the patch there? And maybe tell us more about possible attacks.
comment:3 by , 10 years ago
Happy to review; a cursory look at the patch makes it seem incomplete but will provide further commentary on the other ticket.
Currently working on a patch now.