#9140: bug in django.http.multipartparser.MultiPartParser after
HttpResponseRedirect of a form post with files
------------------------------------+---------------------------------------
Reporter: nbstrite | Owner: nobody
Status: new | Milestone:
Component: HTTP handling | Version: 1.0
Resolution: | Keywords:
Stage: Unreviewed | Has_patch: 1
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
------------------------------------+---------------------------------------
Old description:
> There is a bug in django.http.multipartparser.MultiPartParser where by if
> you redirect after a multipart/form-data post. This bug is avoidable if
> request.POST is not accessed outside of a "if request.method == 'POST':"
> conditional, but I feel that it is a bug none the less.
>
> ====== View that will recreate bug =======
> import from django.http import HttpResponseRedirect, HttpResponse
> def test(request):
> # this is obviously not a best practice, we should nest this
> # under a "if request.method == 'POST':" conditional. But some
> middleware
> # out of our control might access request.POST in an unsafe fashion
> request.POST.keys()
> if request.method == 'POST':
> return HttpResponseRedirect('/')
> return HttpResponse("<form enctype='multipart/form-data' action='/'
> method='post'><input type='submit' /></form>")
>
> ===================
>
> The solutions are to either:
> a) expect that nothing will ever attempt to access request.POST or
> request.FILES outside of a request.method == 'POST' conditional
> b) Accept 0 length CONTENT_LENGTH submissions as perfectly valid
> (attached patch)
New description:
There is a bug in django.http.multipartparser.MultiPartParser where by if
you redirect after a multipart/form-data post. This bug is avoidable if
request.POST is not accessed outside of a "if request.method == 'POST':"
conditional, but I feel that it is a bug none the less.
{{{
====== View that will recreate bug =======
import from django.http import HttpResponseRedirect, HttpResponse
def test(request):
# this is obviously not a best practice, we should nest this
# under a "if request.method == 'POST':" conditional. But some
middleware
# out of our control might access request.POST in an unsafe fashion
request.POST.keys()
if request.method == 'POST':
return HttpResponseRedirect('/')
return HttpResponse("<form enctype='multipart/form-data' action='/'
method='post'><input type='submit' /></form>")
===================
}}}
The solutions are to either:
a) expect that nothing will ever attempt to access request.POST or
request.FILES outside of a request.method == 'POST' conditional
b) Accept 0 length CONTENT_LENGTH submissions as perfectly valid
(attached patch)
--
Ticket URL: <http://code.djangoproject.com/ticket/9140#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
