diff options
author | Claude Paroz <claude@2xlibre.net> | 2014-11-21 21:47:46 +0100 |
---|---|---|
committer | Claude Paroz <claude@2xlibre.net> | 2014-11-22 14:23:37 +0100 |
commit | b38637d5813f014fbe3e031253a166c208c387e1 (patch) | |
tree | 603bcadab0dba638a06b33c9c4aa51c7436441d1 | |
parent | b0a58b9085b0836a92e5a4ad72671936119fe1ba (diff) | |
download | django-b38637d5813f014fbe3e031253a166c208c387e1.tar.gz |
Fixed #23887 -- Returned Bad Request for multipart parsing fails
Thanks Antti Häyrynen and Tim Graham for the report, and Aymeric
Augustin for the review.
-rw-r--r-- | django/core/handlers/base.py | 10 | ||||
-rw-r--r-- | tests/handlers/tests.py | 13 | ||||
-rw-r--r-- | tests/handlers/urls.py | 1 | ||||
-rw-r--r-- | tests/handlers/views.py | 7 |
4 files changed, 31 insertions, 0 deletions
diff --git a/django/core/handlers/base.py b/django/core/handlers/base.py index 121ff59bc3..30843bf7f7 100644 --- a/django/core/handlers/base.py +++ b/django/core/handlers/base.py @@ -10,6 +10,7 @@ from django.core import urlresolvers from django.core import signals from django.core.exceptions import MiddlewareNotUsed, PermissionDenied, SuspiciousOperation from django.db import connections, transaction +from django.http.multipartparser import MultiPartParserError from django.utils.encoding import force_text from django.utils.module_loading import import_string from django.utils import six @@ -176,6 +177,15 @@ class BaseHandler(object): }) response = self.get_exception_response(request, resolver, 403) + except MultiPartParserError: + logger.warning( + 'Bad request (Unable to parse request body): %s', request.path, + extra={ + 'status_code': 400, + 'request': request + }) + response = self.get_exception_response(request, resolver, 400) + except SuspiciousOperation as e: # The request logger receives events for any problematic request # The security logger receives events for all SuspiciousOperations diff --git a/tests/handlers/tests.py b/tests/handlers/tests.py index f574418ae2..a543513a25 100644 --- a/tests/handlers/tests.py +++ b/tests/handlers/tests.py @@ -93,6 +93,19 @@ class HandlerTests(TestCase): # latest versions. self.assertIsInstance(request.COOKIES, dict) + @override_settings(ROOT_URLCONF='handlers.urls') + def test_invalid_multipart_boundary(self): + """ + Invalid boundary string should produce a "Bad Request" response, not a + server error (#23887). + """ + environ = RequestFactory().post('/malformed_post/').environ + environ['CONTENT_TYPE'] = 'multipart/form-data; boundary=WRONG\x07' + handler = WSGIHandler() + response = handler(environ, lambda *a, **k: None) + # Expect "bad request" response + self.assertEqual(response.status_code, 400) + @override_settings(ROOT_URLCONF='handlers.urls') class TransactionsPerRequestTests(TransactionTestCase): diff --git a/tests/handlers/urls.py b/tests/handlers/urls.py index dd8895aa1a..ad46ef6f03 100644 --- a/tests/handlers/urls.py +++ b/tests/handlers/urls.py @@ -10,4 +10,5 @@ urlpatterns = [ url(r'^in_transaction/$', views.in_transaction), url(r'^not_in_transaction/$', views.not_in_transaction), url(r'^suspicious/$', views.suspicious), + url(r'^malformed_post/$', views.malformed_post), ] diff --git a/tests/handlers/views.py b/tests/handlers/views.py index 84cac97e62..4004dfe033 100644 --- a/tests/handlers/views.py +++ b/tests/handlers/views.py @@ -3,6 +3,7 @@ from __future__ import unicode_literals from django.core.exceptions import SuspiciousOperation from django.db import connection, transaction from django.http import HttpResponse, StreamingHttpResponse +from django.views.decorators.csrf import csrf_exempt def regular(request): @@ -24,3 +25,9 @@ def not_in_transaction(request): def suspicious(request): raise SuspiciousOperation('dubious') + + +@csrf_exempt +def malformed_post(request): + request.POST + return HttpResponse() |