Context Navigation

← Previous Ticket
Next Ticket →

#34742 closed Bug (fixed)

calling a DELETE endpoint without a trailing slash does not thow RuntimeError in DEBUG mode

Reported by:	Troy Sankey	Owned by:	Avaneesh Kumar
Component:	HTTP handling	Version:	4.2
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description (last modified by Troy Sankey)

If DEBUG mode is enabled, and APPEND_SLASH is set to True, calling a standard DRF-generated POST, PUT, or PATCH endpoint without a trailing slash will result in intentionally raising a RuntimeError in order to warn developers that API clients should be fixed to include a trailing slash or else the 301 redirect will silently convert the request into a GET and clear the request payload:

https://github.com/django/django/blob/fbac2a4dd846b52c4f379eacb5bab654fe9540cc/django/middleware/common.py#L86

The problem:

The above linked code doesn't also do the same for DELETE, so DELETE calls missing trailing slashes are silently converted to GET calls in development environments which could result in uncaught bugs in production.

I proposed a simple fix: https://github.com/django/django/pull/17072/files

Change History (9)

comment:1 by Troy Sankey, 16 months ago

Description:	modified (diff)

comment:2 by Simon Charette, 16 months ago

Component:	Error reporting → HTTP handling
Owner:	set to Troy Sankey
Status:	new → assigned
Triage Stage:	Unreviewed → Accepted

comment:3 by Simon Charette, 16 months ago

Needs tests:	set

comment:4 by Simon Charette, 16 months ago

Accepting this ticket as it's coherent with #24145 (5b74134f27eabf92870e1c5e81f9e4999f113eab).

See tests/middleware/tests.py to add an assertion to test_append_slash_no_redirect_on_POST_in_DEBUG Troy.

comment:5 by Avaneesh Kumar, 11 months ago

Owner:	changed from Troy Sankey to Avaneesh Kumar

comment:6 by Avaneesh Kumar, 11 months ago

Needs tests:	unset
Triage Stage:	Accepted → Ready for checkin

I have added an assertion to test_append_slash_no_redirect_in_DEBUG in tests/middleware/tests.py which would check for DELETE request along with POST, PUT, and PATCH.

The pull request can be found here: https://github.com/django/django/pull/17584

comment:7 by Mariusz Felisiak, 11 months ago

Triage Stage:	Ready for checkin → Accepted

Please don't mark your own PRs as Ready for checkin.

comment:8 by Mariusz Felisiak, 11 months ago

Triage Stage:	Accepted → Ready for checkin

comment:9 by Mariusz Felisiak <felisiak.mariusz@…>, 11 months ago

Resolution:	→ fixed
Status:	assigned → closed

In 705b170:

Fixed #34742 -- Made CommonMiddleware raise APPEND_SLASH RuntimeError on DELETE requests.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues