Opened 5 years ago

Closed 5 years ago

#30737 closed Bug (invalid)

Incorrectly encoded headers can yield uncaught UnicodeDecodeError

Reported by: Mark Gordon Owned by: nobody
Component: HTTP handling Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Sending a post with a Content-Type header that contains non-ascii characters will cause a UnicodeDecodeError to be raised and uncaught resulting in a 500 error rather than handling the issue and giving a 400 as would be appropriate.

Make such an erronous request with something like:

curl -d '' -H 'Content-Type: application/€' http://django-server/

Raises the below exception/stack trace

UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 12: ordinal not in range(128)
(15 additional frame(s) were not displayed)
...
  File "rest_framework/request.py", line 427, in POST
    self._load_data_and_files()
  File "rest_framework/request.py", line 275, in _load_data_and_files
    self._data, self._files = self._parse()
  File "rest_framework/request.py", line 337, in _parse
    if media_type and is_form_media_type(media_type):
  File "rest_framework/request.py", line 32, in is_form_media_type
    base_media_type, params = parse_header(media_type.encode(HTTP_HEADER_ENCODING))
  File "django/http/multipartparser.py", line 652, in parse_header
    key = plist.pop(0).lower().decode('ascii')

Change History (1)

comment:1 by Mariusz Felisiak, 5 years ago

Component: UncategorizedHTTP handling
Easy pickings: unset
Resolution: invalid
Status: newclosed
Version: 2.2master

Thanks for this report, however parse_header is a part of internal API that expects an ASCII-encoded bytes (see an example). You can raise an issue in DRF if you think that there is any in the way how they handle/use it.

Closing per TicketClosingReasons/UseSupportChannels.

Note: See TracTickets for help on using tickets.
Back to Top