Opened 16 years ago

Last modified 16 years ago

#9140 closed

bug in django.http.multipartparser.MultiPartParser after HttpResponseRedirect of a form post with files — at Version 2

Reported by: Nowell Strite Owned by: nobody
Component: HTTP handling Version: 1.0
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Karen Tracey)

There is a bug in django.http.multipartparser.MultiPartParser where by if you redirect after a multipart/form-data post. This bug is avoidable if request.POST is not accessed outside of a "if request.method == 'POST':" conditional, but I feel that it is a bug none the less.

====== View that will recreate bug =======
import from django.http import HttpResponseRedirect, HttpResponse
def test(request):
    # this is obviously not a best practice, we should nest this 
    # under a "if request.method == 'POST':" conditional. But some middleware 
    # out of our control might access request.POST in an unsafe fashion
    request.POST.keys()
    if request.method == 'POST':
        return HttpResponseRedirect('/')
    return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>")

===================

The solutions are to either:

a) expect that nothing will ever attempt to access request.POST or request.FILES outside of a request.method == 'POST' conditional
b) Accept 0 length CONTENT_LENGTH submissions as perfectly valid (attached patch)

Change History (3)

by Nowell Strite, 16 years ago

Attachment: mutlipart_post_bug_fix.diff added

a simple patch to accept 0 length CONTENT_LENGTH header as valid to fix current bug descibed in ticket

comment:1 by Nowell Strite, 16 years ago

Sorry about the ticket example, I forgot to preview before submission.

====== View that will recreate bug ======= 
from django.http import HttpResponseRedirect, HttpResponse 

def test(request):
    # I am only including this here to simulate an attempt to access request.POST
    # outside of a conditional to ensure the method is POST
    # this is obviously not a best practice, we should nest this 
    # under a "if request.method == 'POST':" conditional. But some middleware 
    # out of our control might access request.POST in an unsafe fashion 
    request.POST.keys() 
    if request.method == 'POST':
        return HttpResponseRedirect('/')
    return HttpResponse("<form enctype='multipart/form-data' action='/' method='post'><input type='submit' /></form>")

comment:2 by Karen Tracey, 16 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top