Opened 5 years ago
Closed 5 years ago
#31429 closed Bug (needsinfo)
Django test client adds carriage return on empty request.
| Reported by: | Muresan Paul | Owned by: | nobody |
|---|---|---|---|
| Component: | Testing framework | Version: | 3.0 |
| Severity: | Normal | Keywords: | carriage-character Django-test security |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Steps to reproduce:
- Build endpoint for POST/PUT/PATCH
- use empty body client.post() on the reverse URL
- list(request.body) -> ['-', '-', 'B', 'o', 'U', 'n', 'D', 'a', 'R', 'y', 'S', 't', 'R', 'i', 'N', 'g', '-', '-', '\r', '\n']
Issue:
If any security measures as in place \r will always be sanitized. Any checks done on the requests.body will have to take into account this atypical case. This is due to how django client does json encoding and presents a danger.
Proposal:
use the typical json.dumps() instead of the current implementation
Change History (4)
comment:1 by , 5 years ago
| Summary: | Django Client. Empty adding carraige character in body → Django Client. Empty body adding carraige character |
|---|
comment:2 by , 5 years ago
| Summary: | Django Client. Empty body adding carraige character → Django Client. Empty body adding carriage character |
|---|
comment:3 by , 5 years ago
| Type: | Cleanup/optimization → Bug |
|---|
comment:4 by , 5 years ago
| Resolution: | → needsinfo |
|---|---|
| Status: | new → closed |
| Summary: | Django Client. Empty body adding carriage character → Django test client adds carriage return on empty request. |
Note:
See TracTickets
for help on using tickets.
Thanks for this ticket. First of all we're talking about test Client so it's hard for me to imagine how this can be a security issue. Secondly, can you provide any details why carriage is not expected e.g. RFC section. Thirdly
post()already usesjson.dumps(), so I'm not sure what kind of change you're proposing.