Changes between Initial Version and Version 2 of Ticket #36991
- Timestamp:
- Mar 17, 2026, 6:32:20 PM (3 weeks ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #36991
- Property Triage Stage Unreviewed → Accepted
-
Ticket #36991 – Description
initial v2 11 11 parse_header_parameters() in django/utils/http.py crashes with an unhandled LookupError when it receives a Content-Type header containing an RFC 2231 encoded parameter (e.g. charset*=) where the encoding portion is an invalid codec name. This causes Django's WSGI request initialization to raise an uncaught exception, resulting in HTTP 500 instead of HTTP 400. 12 12 13 **Security note:** This crash can be triggered by any unauthenticated request. The crash occurs inside WSGIRequest.__init__() during WSGI request construction — before Django processes the Authorization header, before authentication middleware runs, and before any view-level access control is evaluated. No valid credentials are required to trigger the 500 response , making this exploitable as a denial-of-service vector against any endpoint.13 **Security note:** This crash can be triggered by any unauthenticated request. The crash occurs inside WSGIRequest.__init__() during WSGI request construction — before Django processes the Authorization header, before authentication middleware runs, and before any view-level access control is evaluated. No valid credentials are required to trigger the 500 response. 14 14 15 15 **Minimal reproduction:**