Opened 8 years ago

Closed 8 years ago

#9140 closed (duplicate)

bug in django.http.multipartparser.MultiPartParser after HttpResponseRedirect of a form post with files

Reported by: Nowell Strite Owned by: nobody
Component: HTTP handling Version: 1.0
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by Karen Tracey)

There is a bug in django.http.multipartparser.MultiPartParser where by if you redirect after a multipart/form-data post. This bug is avoidable if request.POST is not accessed outside of a "if request.method == 'POST':" conditional, but I feel that it is a bug none the less.

====== View that will recreate bug =======
import from django.http import HttpResponseRedirect, HttpResponse
def test(request):
    # this is obviously not a best practice, we should nest this 
    # under a "if request.method == 'POST':" conditional. But some middleware 
    # out of our control might access request.POST in an unsafe fashion
    request.POST.keys()
    if request.method == 'POST':
        return HttpResponseRedirect('/')
    return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>")

===================

The solutions are to either:

a) expect that nothing will ever attempt to access request.POST or request.FILES outside of a request.method == 'POST' conditional
b) Accept 0 length CONTENT_LENGTH submissions as perfectly valid (attached patch)

Attachments (1)

mutlipart_post_bug_fix.diff (457 bytes) - added by Nowell Strite 8 years ago.
a simple patch to accept 0 length CONTENT_LENGTH header as valid to fix current bug descibed in ticket

Download all attachments as: .zip

Change History (4)

Changed 8 years ago by Nowell Strite

Attachment: mutlipart_post_bug_fix.diff added

a simple patch to accept 0 length CONTENT_LENGTH header as valid to fix current bug descibed in ticket

comment:1 Changed 8 years ago by Nowell Strite

Sorry about the ticket example, I forgot to preview before submission.

====== View that will recreate bug ======= 
from django.http import HttpResponseRedirect, HttpResponse 

def test(request):
    # I am only including this here to simulate an attempt to access request.POST
    # outside of a conditional to ensure the method is POST
    # this is obviously not a best practice, we should nest this 
    # under a "if request.method == 'POST':" conditional. But some middleware 
    # out of our control might access request.POST in an unsafe fashion 
    request.POST.keys() 
    if request.method == 'POST':
        return HttpResponseRedirect('/')
    return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>")

comment:2 Changed 8 years ago by Karen Tracey

Description: modified (diff)

comment:3 Changed 8 years ago by Karen Tracey

Resolution: duplicate
Status: newclosed

This looks like the same problem as #9014. If it's different in some way please reopen with traceback and deployment environment where you see this.

Note: See TracTickets for help on using tickets.
Back to Top