#30227 closed Bug (fixed)
POST "multipart/form-data" without "boundary" causes AttributeError
Reported by: | Oxygen | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | 2.1 |
Severity: | Normal | Keywords: | multipart, boundary |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
curl -sv http://example.com/my_api/ -XPOST -H 'Content-Type: multipart/form-data'
This causes an "500 Internal Server Error", which is supposed to be "400 Bad Request".
Traceback with sensitive information removed:
Traceback (most recent call last): ... File ".../site-packages/django/core/handlers/wsgi.py", line 111, in _get_post self._load_post_and_files() File ".../site-packages/django/http/request.py", line 310, in _load_post_and_files self._post, self._files = self.parse_file_upload(self.META, data) File ".../site-packages/django/http/request.py", line 268, in parse_file_upload parser = MultiPartParser(META, post_data, self.upload_handlers, self.encoding) File ".../site-packages/django/http/multipartparser.py", line 72, in __init__ raise MultiPartParserError('Invalid boundary in multipart: %s' % boundary.decode()) AttributeError: 'NoneType' object has no attribute 'decode'
Possible fix:
Replace boundary.decode()
at django/http/multipartparser.py:72
with force_text(boundary, errors="replace")
Change History (6)
comment:1 by , 6 years ago
Has patch: | set |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 6 years ago
Tim, I think that passing an invalid UTF-8 byte sequence as boundary could cause force_str
to crash with UnicodeDecodeError
e.g. boundary = u'timgràhàm'.encode('latin').decode('utf-8')
But that might crash even sooner.
comment:3 by , 6 years ago
Yes, it crashes at content_type.encode('ascii')
. I added a second commit with a helpful message for that case.
comment:4 by , 6 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
PR
I didn't include
errors="replace"
-- can you give a case where that's needed?