Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#30227 closed Bug (fixed)

POST "multipart/form-data" without "boundary" causes AttributeError

Reported by: Oxygen Owned by: nobody
Component: HTTP handling Version: 2.1
Severity: Normal Keywords: multipart, boundary
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

curl -sv http://example.com/my_api/ -XPOST -H 'Content-Type: multipart/form-data'

This causes an "500 Internal Server Error", which is supposed to be "400 Bad Request".

Traceback with sensitive information removed:

Traceback (most recent call last):
  ...
  File ".../site-packages/django/core/handlers/wsgi.py", line 111, in _get_post
    self._load_post_and_files()
  File ".../site-packages/django/http/request.py", line 310, in _load_post_and_files
    self._post, self._files = self.parse_file_upload(self.META, data)
  File ".../site-packages/django/http/request.py", line 268, in parse_file_upload
    parser = MultiPartParser(META, post_data, self.upload_handlers, self.encoding)
  File ".../site-packages/django/http/multipartparser.py", line 72, in __init__
    raise MultiPartParserError('Invalid boundary in multipart: %s' % boundary.decode())
AttributeError: 'NoneType' object has no attribute 'decode'

Possible fix:

Replace boundary.decode() at django/http/multipartparser.py:72 with force_text(boundary, errors="replace")

Change History (6)

comment:1 by Tim Graham, 5 years ago

Has patch: set
Triage Stage: UnreviewedAccepted

PR

I didn't include errors="replace" -- can you give a case where that's needed?

comment:2 by Simon Charette, 5 years ago

Tim, I think that passing an invalid UTF-8 byte sequence as boundary could cause force_str to crash with UnicodeDecodeError

e.g. `boundary = u'timgràhàm'.encode('latin')

But that might crash even sooner.

Last edited 5 years ago by Simon Charette (previous) (diff)

comment:3 by Tim Graham, 5 years ago

Yes, it crashes at content_type.encode('ascii'). I added a second commit with a helpful message for that case.

comment:4 by Mariusz Felisiak, 5 years ago

Triage Stage: AcceptedReady for checkin

comment:5 by Tim Graham <timograham@…>, 5 years ago

Resolution: fixed
Status: newclosed

In 2ed2acf8:

Fixed #30227 -- Fixed crash on request without boundary in Content-Type.

comment:6 by Tim Graham <timograham@…>, 5 years ago

In 8ec7ded3:

Refs #30227 -- Added helpful message for non-ASCII Content-Type in mulitpart request.

Note: See TracTickets for help on using tickets.
Back to Top