Opened 16 months ago
Closed 12 months ago
#34742 closed Bug (fixed)
calling a DELETE endpoint without a trailing slash does not thow RuntimeError in DEBUG mode
Reported by: | Troy Sankey | Owned by: | Avaneesh Kumar |
---|---|---|---|
Component: | HTTP handling | Version: | 4.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
If DEBUG mode is enabled, and APPEND_SLASH is set to True, calling a standard DRF-generated POST, PUT, or PATCH endpoint without a trailing slash will result in intentionally raising a RuntimeError in order to warn developers that API clients should be fixed to include a trailing slash or else the 301 redirect will silently convert the request into a GET and clear the request payload:
The problem:
The above linked code doesn't also do the same for DELETE, so DELETE calls missing trailing slashes are silently converted to GET calls in development environments which could result in uncaught bugs in production.
I proposed a simple fix: https://github.com/django/django/pull/17072/files
Change History (9)
comment:1 by , 16 months ago
Description: | modified (diff) |
---|
comment:2 by , 16 months ago
Component: | Error reporting → HTTP handling |
---|---|
Owner: | set to |
Status: | new → assigned |
Triage Stage: | Unreviewed → Accepted |
comment:3 by , 16 months ago
Needs tests: | set |
---|
comment:4 by , 16 months ago
comment:5 by , 12 months ago
Owner: | changed from | to
---|
comment:6 by , 12 months ago
Needs tests: | unset |
---|---|
Triage Stage: | Accepted → Ready for checkin |
I have added an assertion to test_append_slash_no_redirect_in_DEBUG
in tests/middleware/tests.py
which would check for DELETE request along with POST, PUT, and PATCH.
The pull request can be found here: https://github.com/django/django/pull/17584
comment:7 by , 12 months ago
Triage Stage: | Ready for checkin → Accepted |
---|
Please don't mark your own PRs as Ready for checkin.
comment:8 by , 12 months ago
Triage Stage: | Accepted → Ready for checkin |
---|
Accepting this ticket as it's coherent with #24145 (5b74134f27eabf92870e1c5e81f9e4999f113eab).
See
tests/middleware/tests.py
to add an assertion totest_append_slash_no_redirect_on_POST_in_DEBUG
Troy.