[Django] #30737: Incorrectly encoded headers can yield uncaught UnicodeDecodeError

Wed, 28 Aug 2019 14:11:52 -0700 

#30737: Incorrectly encoded headers can yield uncaught UnicodeDecodeError
-----------------------------------------+------------------------
               Reporter:  Mark Gordon    |          Owner:  nobody
                   Type:  Bug            |         Status:  new
              Component:  Uncategorized  |        Version:  2.2
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  1
                  UI/UX:  0              |
-----------------------------------------+------------------------
 Sending a post with a Content-Type header that contains non-ascii
 characters will cause a UnicodeDecodeError to be raised and uncaught
 resulting in a 500 error rather than handling the issue and giving a 400
 as would be appropriate.

 Make such an erronous request with something like:

 {{{
 curl -d '' -H 'Content-Type: application/€' http://django-server/
 }}}

 Raises the below exception/stack trace

 {{{

 UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 12:
 ordinal not in range(128)
 (15 additional frame(s) were not displayed)
 ...
   File "rest_framework/request.py", line 427, in POST
     self._load_data_and_files()
   File "rest_framework/request.py", line 275, in _load_data_and_files
     self._data, self._files = self._parse()
   File "rest_framework/request.py", line 337, in _parse
     if media_type and is_form_media_type(media_type):
   File "rest_framework/request.py", line 32, in is_form_media_type
     base_media_type, params =
 parse_header(media_type.encode(HTTP_HEADER_ENCODING))
   File "django/http/multipartparser.py", line 652, in parse_header
     key = plist.pop(0).lower().decode('ascii')
 }}}

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30737>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/049.ee0590b1402d101eed8825fad23c8a32%40djangoproject.com.

Reply via email to