Context Navigation

← Previous Ticket
Next Ticket →

#36931 closed Cleanup/optimization (fixed)

Unhandled LookupError in multipart parser when RFC 2231 encoding name is invalid

Reported by:	sammiee5311	Owned by:	sammiee5311
Component:	HTTP handling	Version:	6.0
Severity:	Normal	Keywords:	multipart parser LookupError RFC2231
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	yes	UI/UX:	no

Description (last modified by sammiee5311)

When a multipart form upload includes an RFC 2231 encoded filename* parameter with an invalid encoding name (e.g., filename*=BOGUS''test%20file.txt), parse_header_parameters(), django/utils/http.py passes the encoding to urllib.parse.unquote(), which raises LookupError.

The caller in django/http/multipartparser.py only catches ValueError:

except ValueError:  # Invalid header.
    continue

Since LookupError is not a subclass of ValueError, the exception propagates and results in a 500 Internal Server Error.

Steps to Reproduce

Create a simple upload view:

from django.http import JsonResponse
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def upload(request):
    if request.method == "POST" and request.FILES:
        return JsonResponse({"filename": request.FILES["file"].name})
    return JsonResponse({"error": "No file"}, status=400)

Send a multipart request with a bogus encoding:

import http.client
boundary = "----PoC"
body = (
    f"--{boundary}\r\n"
    f"Content-Disposition: form-data; name=\"file\"; "
    f"filename*=BOGUS''test%20file.txt\r\n"
    f"Content-Type: application/octet-stream\r\n"
    f"\r\n"
    f"content\r\n"
    f"--{boundary}--\r\n"
)
conn = http.client.HTTPConnection("localhost", 8000)
conn.request("POST", "/upload/", body=body.encode(),
    headers={"Content-Type": f"multipart/form-data; boundary={boundary}"})
print(conn.getresponse().status)  # Returns 500

The filename must contain at least one percent-encoded character (e.g., %20) for unquote() to invoke the codec.

Confirmed on Django 6.0.2, Python 3.14.

PR link: https://github.com/django/django/pull/20714

Change History (10)

comment:1 by sammiee5311, 4 weeks ago

Description:	modified (diff)

comment:2 by sammiee5311, 3 weeks ago

PR: https://github.com/django/django/pull/20714

All tests pass (requests_tests — 115 tests) under SQLite, Python 3.14, macOS.

comment:3 by Huwaiza, 3 weeks ago

Owner:	set to Huwaiza
Status:	new → assigned

comment:4 by Huwaiza, 3 weeks ago

Owner:	Huwaiza removed
Status:	assigned → new

comment:5 by sammiee5311, 3 weeks ago

Description:	modified (diff)

comment:6 by sammiee5311, 3 weeks ago

Owner:	set to sammiee5311
Status:	new → assigned

comment:7 by Jacob Walls, 3 weeks ago

Triage Stage:	Unreviewed → Accepted
Type:	Bug → Cleanup/optimization

comment:8 by Jacob Walls, 3 weeks ago

Patch needs improvement:	set

comment:9 by Jacob Walls, 2 weeks ago

Patch needs improvement:	unset
Triage Stage:	Accepted → Ready for checkin

comment:10 by Jacob Walls <jacobtylerwalls@…>, 2 weeks ago

Resolution:	→ fixed
Status:	assigned → closed

In e84dc871:

Fixed #36931 -- Handled LookupError in multipart parser for invalid RFC 2231 encoding.

Added LookupError to the except clause so invalid headers are silently
skipped, consistent with other malformed header handling.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues