Opened 2 hours ago
#36833 assigned Bug
HttpRequest.accepted_types incorrectly splits Accept header on commas inside quoted parameter values
| Reported by: | Naveed Qadir | Owned by: | Naveed Qadir |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Naveed Qadir | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The accepted_types property in HttpRequest uses str.split(",") to parse the Accept header, which incorrectly splits on commas that appear inside quoted parameter values.
Example
# Accept header with quoted parameter containing comma header = 'text/plain; param="a,b", application/json' # Current behavior (WRONG): header.split(",") # Returns: ['text/plain; param="a', 'b"', ' application/json'] # 3 parts - comma inside quotes was incorrectly treated as separator # Expected behavior (per RFC 7231): # Should return 2 media types: # 1. text/plain; param="a,b" # 2. application/json
RFC Reference
RFC 7231 Section 5.3.2 specifies that media-type parameters can contain quoted-string values, and RFC 7230 Section 3.2.6 allows commas within quoted strings.
Proposed Fix
Add a split_header_words() helper function to django/utils/http.py that splits on commas while respecting quoted strings, similar to how _parseparam() handles semicolons.
A patch with tests is available.
Note:
See TracTickets
for help on using tickets.