POST "multipart/form-data" without "boundary" causes AttributeError

[Oxygen]

curl -sv http://example.com/my_api/ -XPOST -H 'Content-Type: multipart/form-data'

This causes an "500 Internal Server Error", which is supposed to be "400 Bad Request".

Traceback with sensitive information removed:

Traceback (most recent call last):
  ...
  File ".../site-packages/django/core/handlers/wsgi.py", line 111, in _get_post
    self._load_post_and_files()
  File ".../site-packages/django/http/request.py", line 310, in _load_post_and_files
    self._post, self._files = self.parse_file_upload(self.META, data)
  File ".../site-packages/django/http/request.py", line 268, in parse_file_upload
    parser = MultiPartParser(META, post_data, self.upload_handlers, self.encoding)
  File ".../site-packages/django/http/multipartparser.py", line 72, in __init__
    raise MultiPartParserError('Invalid boundary in multipart: %s' % boundary.decode())
AttributeError: 'NoneType' object has no attribute 'decode'

Possible fix:

Replace boundary.decode() at django/http/multipartparser.py:72 with force_text(boundary, errors="replace")

[Tim Graham]

​PR

I didn't include errors="replace" -- can you give a case where that's needed?

[Simon Charette]

Tim, I think that passing an invalid UTF-8 byte sequence as boundary could cause force_str to crash with UnicodeDecodeError

e.g. `boundary = u'timgràhàm'.encode('latin')

But that might crash even sooner.

[Tim Graham]

Yes, it crashes at content_type.encode('ascii'). I added a second commit with a helpful message for that case.

[Tim Graham <timograham@…>]

In 2ed2acf8:

Fixed #30227 -- Fixed crash on request without boundary in Content-Type.

[Tim Graham <timograham@…>]

In 8ec7ded3:

Refs #30227 -- Added helpful message for non-ASCII Content-Type in mulitpart request.