Context Navigation

← Previous Ticket
Next Ticket →

#23887 closed Bug (fixed)

Invalid multipart boundary causes internal server error

Reported by:	Tim Graham	Owned by:	Claude Paroz
Component:	HTTP handling	Version:	1.7
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Reported by Antti Häyrynen and verified by me.

In http/request.py _load_post_and_files when calling self.parse_file_upload failures raise MultiPartParserError, which causes http request handler to throw 500 in case multipart has something wrong (invalid boundary and apparently negative content length). I think bad request would be better response to this.

Attached is a sample HTTP request, which has a bell in mime boundary that makes django return 500.

To reproduce (you must have the admin installed so /admin/login/ doesn't 404):

$ nc 127.0.0.1 8000 < beep-500.httpreq

Attachments (1)

beep-500.httpreq (556 bytes ) - added by Tim Graham 11 years ago.

Download all attachments as: .zip

Change History (7)

by Tim Graham, 11 years ago

Attachment:	beep-500.httpreq added

comment:1 by Claude Paroz, 11 years ago

Owner:	changed from nobody to Claude Paroz
Status:	new → assigned

comment:2 by Claude Paroz, 11 years ago

Has patch:	set

https://github.com/django/django/pull/3599

comment:3 by Aymeric Augustin, 11 years ago

Did you consider having MultiPartParserError inherit SuspiciousOperation?

That would result in a 400 (if memory serves).

comment:4 by Claude Paroz, 11 years ago

Right, it would be simpler/cleaner.
However, I wonder if this would be semantically correct. Can we really consider MultiPartParserError as a SuspiciousOperation? Note that SuspiciousOperation exceptions are logged to the security logger.

comment:5 by Aymeric Augustin, 11 years ago

Triage Stage:	Accepted → Ready for checkin

Right, it looks like it isn't the best choice in that case. I just wanted to make sure it had been considered :-)

I left a small suggestion on the PR, otherwise this is good to go.

comment:6 by Claude Paroz <claude@…>, 11 years ago

Resolution:	→ fixed
Status:	assigned → closed

In b38637d5813f014fbe3e031253a166c208c387e1:

Fixed #23887 -- Returned Bad Request for multipart parsing fails

Thanks Antti Häyrynen and Tim Graham for the report, and Aymeric
Augustin for the review.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues