Opened 16 months ago

Last modified 11 months ago

#34742 closed Bug

calling a DELETE endpoint without a trailing slash does not thow RuntimeError in DEBUG mode — at Version 1

Reported by: Troy Sankey Owned by:
Component: HTTP handling Version: 4.2
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Troy Sankey)

If DEBUG mode is enabled, and APPEND_SLASH is set to True, calling a standard DRF-generated POST, PUT, or PATCH endpoint without a trailing slash will result in intentionally raising a RuntimeError in order to warn developers that API clients should be fixed to include a trailing slash or else the 301 redirect will silently convert the request into a GET and clear the request payload:

https://github.com/django/django/blob/fbac2a4dd846b52c4f379eacb5bab654fe9540cc/django/middleware/common.py#L86

The problem:

The above linked code doesn't also do the same for DELETE, so DELETE calls missing trailing slashes are silently converted to GET calls in development environments which could result in uncaught bugs in production.

I proposed a simple fix: https://github.com/django/django/pull/17072/files

Change History (1)

comment:1 by Troy Sankey, 16 months ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top