Context Navigation

← Previous Ticket
Next Ticket →

Opened 17 years ago

Last modified 17 years ago

#9140 closed

bug in django.http.multipartparser.MultiPartParser after HttpResponseRedirect of a form post with files — at Version 2

Reported by:	Nowell Strite	Owned by:	nobody
Component:	HTTP handling	Version:	1.0
Severity:		Keywords:
Cc:		Triage Stage:	Unreviewed
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description (last modified by Karen Tracey)

There is a bug in django.http.multipartparser.MultiPartParser where by if you redirect after a multipart/form-data post. This bug is avoidable if request.POST is not accessed outside of a "if request.method == 'POST':" conditional, but I feel that it is a bug none the less.

====== View that will recreate bug =======
import from django.http import HttpResponseRedirect, HttpResponse
def test(request):
    # this is obviously not a best practice, we should nest this 
    # under a "if request.method == 'POST':" conditional. But some middleware 
    # out of our control might access request.POST in an unsafe fashion
    request.POST.keys()
    if request.method == 'POST':
        return HttpResponseRedirect('/')
    return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>")

===================

The solutions are to either:

a) expect that nothing will ever attempt to access request.POST or request.FILES outside of a request.method == 'POST' conditional
b) Accept 0 length CONTENT_LENGTH submissions as perfectly valid (attached patch)

Change History (3)

by Nowell Strite, 17 years ago

Attachment:	mutlipart_post_bug_fix.diff added

a simple patch to accept 0 length CONTENT_LENGTH header as valid to fix current bug descibed in ticket

comment:1 by Nowell Strite, 17 years ago

Sorry about the ticket example, I forgot to preview before submission.

====== View that will recreate bug ======= 
from django.http import HttpResponseRedirect, HttpResponse 

def test(request):
    # I am only including this here to simulate an attempt to access request.POST
    # outside of a conditional to ensure the method is POST
    # this is obviously not a best practice, we should nest this 
    # under a "if request.method == 'POST':" conditional. But some middleware 
    # out of our control might access request.POST in an unsafe fashion 
    request.POST.keys() 
    if request.method == 'POST':
        return HttpResponseRedirect('/')
    return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>")

comment:2 by Karen Tracey, 17 years ago

Description:	modified (diff)

Note: See TracTickets for help on using tickets.

Download in other formats: