Changes between Version 2 and Version 5 of Ticket #36991
- Timestamp:
- Mar 23, 2026, 4:28:00 AM (2 weeks ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #36991
- Property Owner set to
- Property Status new → assigned
- Property Has patch set
- Property Patch needs improvement set
-
Ticket #36991 – Description
v2 v5 1 **Component:** HTTP handling2 **Type:** Bug3 **Version:** 5.1 (also affects 4.2, 5.2, main)4 **Severity:** Normal5 **Keywords:** parse_header_parameters, Content-Type, LookupError, urllib, unquote6 7 -------------------------8 9 **Description:**10 11 1 parse_header_parameters() in django/utils/http.py crashes with an unhandled LookupError when it receives a Content-Type header containing an RFC 2231 encoded parameter (e.g. charset*=) where the encoding portion is an invalid codec name. This causes Django's WSGI request initialization to raise an uncaught exception, resulting in HTTP 500 instead of HTTP 400. 12 2 … … 83 73 - urllib.parse.unquote() is behaving correctly — the bug is that Django passes an unvalidated, user-controlled encoding name to it. 84 74 - Discoverable via API fuzzing tools (e.g. Mayhem4API). 85 86 -------------------------