Opened 23 months ago

Closed 23 months ago

Last modified 23 months ago

#23047 closed Bug (duplicate)

Handle Extended Header Parameters Specified in RFC # 2231

Reported by: ceaess Owned by: nobody
Component: File uploads/storage Version: 1.6
Severity: Normal Keywords: multipart, rfc compliance, files
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


This ticket originates with a bug reported in Requests, here but is actually a bug in all versions of Django (and Rack, and more) with the implementation of RFC #2231 section 4 (from 1997). This was discussed tangentially in a previous thread here but not addressed.

For example if someone tries to use a filename like u'файл', this should be sent to the server as filename*=utf-8''%D1%84%D0%B0%D0%B9%D0%BB. This is not properly parsed by Django and so it appears to not have a filename at all.

I don't advise immediately parsing and decoding the value because of attacks that are possible through utf-7 and other character sets.

Change History (3)

comment:1 Changed 23 months ago by ceaess

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Currently working on a patch now.

comment:2 Changed 23 months ago by claudep

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #22971. May I ask you to review the patch there? And maybe tell us more about possible attacks.

comment:3 Changed 23 months ago by ceaess

Happy to review; a cursory look at the patch makes it seem incomplete but will provide further commentary on the other ticket.

Note: See TracTickets for help on using tickets.
Back to Top