Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#26325 closed Bug (fixed)

File upload crashes when presented with filename ending with a backslash

Reported by: jmb202 Owned by: nobody
Component: File uploads/storage Version: 1.8
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The multipart parser in Django 1.8.10 will crash if the following conditions are met:

  • the total POST body is small enough to cause the MemoryFileUploadHandler to be active
  • the name of the file provided in the multipart header ends with a backslash

The following traceback is obtained:

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py", line 125, in get_response
  File "/usr/lib/python2.7/dist-packages/django/middleware/csrf.py", line 170, in process_view
    request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
  File "/usr/lib/python2.7/dist-packages/django/core/handlers/wsgi.py", line 146, in _get_post
    self._load_post_and_files()
  File "/usr/lib/python2.7/dist-packages/django/http/request.py", line 215, in _load_post_and_files
    self._post, self._files = self.parse_file_upload(self.META, data)
  File "/usr/lib/python2.7/dist-packages/django/http/request.py", line 180, in parse_file_upload
    return parser.parse()
  File "/usr/lib/python2.7/dist-packages/django/http/multipartparser.py", line 145, in parse
    self.handle_file_complete(old_field_name, counters)
  File "/usr/lib/python2.7/dist-packages/django/http/multipartparser.py", line 255, in handle_file_complete
    file_obj = handler.file_complete(counters[i])
  File "/usr/lib/python2.7/dist-packages/django/core/files/uploadhandler.py", line 141, in file_complete
    self.file.seek(0)
AttributeError: 'TemporaryFileUploadHandler' object has no attribute 'file'

I have attached a patch containing a proposed fix and regression test.

Attachments (1)

fix-multipart-file-upload.diff (2.7 KB) - added by jmb202 5 years ago.
Proposed fix

Download all attachments as: .zip

Change History (6)

Changed 5 years ago by jmb202

Proposed fix

comment:1 Changed 5 years ago by Tim Graham

Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

Could you send the patch as a pull request to the master branch?

comment:2 Changed 5 years ago by jmb202

Sure. You can find it here: https://github.com/django/django/pull/6251

comment:3 Changed 5 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In 4b129ac:

Fixed #26325 -- Made MultiPartParser ignore filenames that normalize to an empty string.

comment:4 Changed 5 years ago by Tim Graham <timograham@…>

In 809eb5d:

[1.9.x] Fixed #26325 -- Made MultiPartParser ignore filenames that normalize to an empty string.

Backport of 4b129ac81f4fa38004950d0b307f81d1e9b44af8 from master

comment:5 Changed 5 years ago by Tim Graham <timograham@…>

In a5e9ae9a:

[1.8.x] Fixed #26325 -- Made MultiPartParser ignore filenames that normalize to an empty string.

Backport of 4b129ac81f4fa38004950d0b307f81d1e9b44af8 from master

Note: See TracTickets for help on using tickets.
Back to Top