Opened 7 years ago

Closed 7 years ago

#9140 closed (duplicate)

bug in django.http.multipartparser.MultiPartParser after HttpResponseRedirect of a form post with files

Reported by: nbstrite Owned by: nobody
Component: HTTP handling Version: 1.0
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by kmtracey)

There is a bug in django.http.multipartparser.MultiPartParser where by if you redirect after a multipart/form-data post. This bug is avoidable if request.POST is not accessed outside of a "if request.method == 'POST':" conditional, but I feel that it is a bug none the less.

====== View that will recreate bug =======
import from django.http import HttpResponseRedirect, HttpResponse
def test(request):
    # this is obviously not a best practice, we should nest this 
    # under a "if request.method == 'POST':" conditional. But some middleware 
    # out of our control might access request.POST in an unsafe fashion
    request.POST.keys()
    if request.method == 'POST':
        return HttpResponseRedirect('/')
    return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>")

===================

The solutions are to either:

a) expect that nothing will ever attempt to access request.POST or request.FILES outside of a request.method == 'POST' conditional
b) Accept 0 length CONTENT_LENGTH submissions as perfectly valid (attached patch)

Attachments (1)

mutlipart_post_bug_fix.diff (457 bytes) - added by nbstrite 7 years ago.
a simple patch to accept 0 length CONTENT_LENGTH header as valid to fix current bug descibed in ticket

Download all attachments as: .zip

Change History (4)

Changed 7 years ago by nbstrite

a simple patch to accept 0 length CONTENT_LENGTH header as valid to fix current bug descibed in ticket

comment:1 Changed 7 years ago by nbstrite

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Sorry about the ticket example, I forgot to preview before submission.

====== View that will recreate bug ======= 
from django.http import HttpResponseRedirect, HttpResponse 

def test(request):
    # I am only including this here to simulate an attempt to access request.POST
    # outside of a conditional to ensure the method is POST
    # this is obviously not a best practice, we should nest this 
    # under a "if request.method == 'POST':" conditional. But some middleware 
    # out of our control might access request.POST in an unsafe fashion 
    request.POST.keys() 
    if request.method == 'POST':
        return HttpResponseRedirect('/')
    return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>")

comment:2 Changed 7 years ago by kmtracey

  • Description modified (diff)

comment:3 Changed 7 years ago by kmtracey

  • Resolution set to duplicate
  • Status changed from new to closed

This looks like the same problem as #9014. If it's different in some way please reopen with traceback and deployment environment where you see this.

Note: See TracTickets for help on using tickets.
Back to Top