Opened 3 years ago

Closed 3 years ago

#27153 closed Cleanup/optimization (fixed)

HttpResponseBase should check for valid HTTP status code

Reported by: Ryan Allen Owned by: nobody
Component: HTTP handling Version: 1.10
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, the HttpResponseBase class does not check for Type or Value Error on the HTTP status code. If a bad value such as a string is passed it, an exception is not thrown until it reaches:

File "django/http/utils.py", line 17, in conditional_content_removal
    if 100 <= response.status_code < 200 or response.status_code in (204, 304):
TypeError: unorderable types: int() <= str()

Proposed fix:

  • Valid status values in the form of a string should be coerced to an integer if possible.
  • Integer values less than 100 or greater than 599 should also be rejected based on W3C Status Code Definitions RFC 2612

Change History (4)

comment:2 Changed 3 years ago by Tim Graham

Easy pickings: unset
Patch needs improvement: set
Triage Stage: UnreviewedAccepted

comment:3 Changed 3 years ago by Tim Graham

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:4 Changed 3 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In 190d2ff4:

Fixed #27153 -- Added validation for HttpResponse status.

Note: See TracTickets for help on using tickets.
Back to Top