Opened 16 years ago
Last modified 16 years ago
#9140 closed
bug in django.http.multipartparser.MultiPartParser after HttpResponseRedirect of a form post with files — at Version 2
Reported by: | Nowell Strite | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | 1.0 |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Unreviewed | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
There is a bug in django.http.multipartparser.MultiPartParser where by if you redirect after a multipart/form-data post. This bug is avoidable if request.POST is not accessed outside of a "if request.method == 'POST':" conditional, but I feel that it is a bug none the less.
====== View that will recreate bug ======= import from django.http import HttpResponseRedirect, HttpResponse def test(request): # this is obviously not a best practice, we should nest this # under a "if request.method == 'POST':" conditional. But some middleware # out of our control might access request.POST in an unsafe fashion request.POST.keys() if request.method == 'POST': return HttpResponseRedirect('/') return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>") ===================
The solutions are to either:
a) expect that nothing will ever attempt to access request.POST or request.FILES outside of a request.method == 'POST' conditional
b) Accept 0 length CONTENT_LENGTH submissions as perfectly valid (attached patch)
Change History (3)
by , 16 years ago
Attachment: | mutlipart_post_bug_fix.diff added |
---|
comment:1 by , 16 years ago
Sorry about the ticket example, I forgot to preview before submission.
====== View that will recreate bug ======= from django.http import HttpResponseRedirect, HttpResponse def test(request): # I am only including this here to simulate an attempt to access request.POST # outside of a conditional to ensure the method is POST # this is obviously not a best practice, we should nest this # under a "if request.method == 'POST':" conditional. But some middleware # out of our control might access request.POST in an unsafe fashion request.POST.keys() if request.method == 'POST': return HttpResponseRedirect('/') return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>")
comment:2 by , 16 years ago
Description: | modified (diff) |
---|
a simple patch to accept 0 length CONTENT_LENGTH header as valid to fix current bug descibed in ticket