From 7cc1b4710ea3fbe3a076d14f9265f115a615964a Mon Sep 17 00:00:00 2001 From: Raul Cumplido Date: Sat, 24 Jan 2015 12:14:30 +0000 Subject: [PATCH] [1.8.x] Fixed #24209 -- Prevented crash when parsing malformed RFC 2231 headers Thanks Tom Christie for the report and review. Backport of ac650d02cb from master. --- django/http/multipartparser.py | 3 ++- tests/file_uploads/tests.py | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py index 07c874e08fe..e1de03f8b18 100644 --- a/django/http/multipartparser.py +++ b/django/http/multipartparser.py @@ -643,7 +643,8 @@ def parse_header(line): # Lang/encoding embedded in the value (like "filename*=UTF-8''file.ext") # http://tools.ietf.org/html/rfc2231#section-4 name = name[:-1] - has_encoding = True + if p.count(b"'") == 2: + has_encoding = True value = p[i + 1:].strip() if has_encoding: encoding, lang, value = value.split(b"'") diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py index 34681122e4c..610cf136307 100644 --- a/tests/file_uploads/tests.py +++ b/tests/file_uploads/tests.py @@ -584,3 +584,20 @@ class MultiParserTests(unittest.TestCase): for raw_line, expected_title in test_data: parsed = parse_header(raw_line) self.assertEqual(parsed[1]['title'], expected_title) + + def test_rfc2231_wrong_title(self): + """ + Test wrongly formatted RFC 2231 headers (missing double single quotes). + Parsing should not crash (#24209). + """ + test_data = ( + (b"Content-Type: application/x-stuff; title*='This%20is%20%2A%2A%2Afun%2A%2A%2A", + b"'This%20is%20%2A%2A%2Afun%2A%2A%2A"), + (b"Content-Type: application/x-stuff; title*='foo.html", + b"'foo.html"), + (b"Content-Type: application/x-stuff; title*=bar.html", + b"bar.html"), + ) + for raw_line, expected_title in test_data: + parsed = parse_header(raw_line) + self.assertEqual(parsed[1]['title'], expected_title)