Opened 16 years ago
Last modified 16 years ago
#9140 closed
bug in django.http.multipartparser.MultiPartParser after HttpResponseRedirect of a form post with files — at Initial Version
| Reported by: | Nowell Strite | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | 1.0 |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
There is a bug in django.http.multipartparser.MultiPartParser where by if you redirect after a multipart/form-data post. This bug is avoidable if request.POST is not accessed outside of a "if request.method == 'POST':" conditional, but I feel that it is a bug none the less.
View that will recreate bug =
import from django.http import HttpResponseRedirect, HttpResponse
def test(request):
# this is obviously not a best practice, we should nest this
# under a "if request.method == 'POST':" conditional. But some middleware
# out of our control might access request.POST in an unsafe fashion
request.POST.keys()
if request.method == 'POST':
return HttpResponseRedirect('/')
return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>")
===================
The solutions are to either:
a) expect that nothing will ever attempt to access request.POST or request.FILES outside of a request.method == 'POST' conditional
b) Accept 0 length CONTENT_LENGTH submissions as perfectly valid (attached patch)
a simple patch to accept 0 length CONTENT_LENGTH header as valid to fix current bug descibed in ticket