mirror of https://github.com/django/django.git
Fixed #31293 -- Allowed MultiPartParser to handle double-quoted encoded headers.
This commit is contained in:
parent
a21f7b91db
commit
e65fea9292
|
@ -664,12 +664,12 @@ def parse_header(line):
|
||||||
if p.count(b"'") == 2:
|
if p.count(b"'") == 2:
|
||||||
has_encoding = True
|
has_encoding = True
|
||||||
value = p[i + 1:].strip()
|
value = p[i + 1:].strip()
|
||||||
if has_encoding:
|
|
||||||
encoding, lang, value = value.split(b"'")
|
|
||||||
value = unquote(value.decode(), encoding=encoding.decode())
|
|
||||||
if len(value) >= 2 and value[:1] == value[-1:] == b'"':
|
if len(value) >= 2 and value[:1] == value[-1:] == b'"':
|
||||||
value = value[1:-1]
|
value = value[1:-1]
|
||||||
value = value.replace(b'\\\\', b'\\').replace(b'\\"', b'"')
|
value = value.replace(b'\\\\', b'\\').replace(b'\\"', b'"')
|
||||||
|
if has_encoding:
|
||||||
|
encoding, lang, value = value.split(b"'")
|
||||||
|
value = unquote(value.decode(), encoding=encoding.decode())
|
||||||
pdict[name] = value
|
pdict[name] = value
|
||||||
return key, pdict
|
return key, pdict
|
||||||
|
|
||||||
|
|
|
@ -162,6 +162,48 @@ class FileUploadTests(TestCase):
|
||||||
response = self.client.request(**r)
|
response = self.client.request(**r)
|
||||||
self.assertEqual(response.status_code, 200)
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_unicode_file_name_rfc2231_with_double_quotes(self):
|
||||||
|
payload = client.FakePayload()
|
||||||
|
payload.write('\r\n'.join([
|
||||||
|
'--' + client.BOUNDARY,
|
||||||
|
'Content-Disposition: form-data; name="file_unicode"; '
|
||||||
|
'filename*="UTF-8\'\'%s"' % quote(UNICODE_FILENAME),
|
||||||
|
'Content-Type: application/octet-stream',
|
||||||
|
'',
|
||||||
|
'You got pwnd.\r\n',
|
||||||
|
'\r\n--' + client.BOUNDARY + '--\r\n',
|
||||||
|
]))
|
||||||
|
r = {
|
||||||
|
'CONTENT_LENGTH': len(payload),
|
||||||
|
'CONTENT_TYPE': client.MULTIPART_CONTENT,
|
||||||
|
'PATH_INFO': '/unicode_name/',
|
||||||
|
'REQUEST_METHOD': 'POST',
|
||||||
|
'wsgi.input': payload,
|
||||||
|
}
|
||||||
|
response = self.client.request(**r)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_unicode_name_rfc2231_with_double_quotes(self):
|
||||||
|
payload = client.FakePayload()
|
||||||
|
payload.write('\r\n'.join([
|
||||||
|
'--' + client.BOUNDARY,
|
||||||
|
'Content-Disposition: form-data; name*="UTF-8\'\'file_unicode"; '
|
||||||
|
'filename*="UTF-8\'\'%s"' % quote(UNICODE_FILENAME),
|
||||||
|
'Content-Type: application/octet-stream',
|
||||||
|
'',
|
||||||
|
'You got pwnd.\r\n',
|
||||||
|
'\r\n--' + client.BOUNDARY + '--\r\n'
|
||||||
|
]))
|
||||||
|
r = {
|
||||||
|
'CONTENT_LENGTH': len(payload),
|
||||||
|
'CONTENT_TYPE': client.MULTIPART_CONTENT,
|
||||||
|
'PATH_INFO': '/unicode_name/',
|
||||||
|
'REQUEST_METHOD': 'POST',
|
||||||
|
'wsgi.input': payload,
|
||||||
|
}
|
||||||
|
response = self.client.request(**r)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
def test_blank_filenames(self):
|
def test_blank_filenames(self):
|
||||||
"""
|
"""
|
||||||
Receiving file upload when filename is blank (before and after
|
Receiving file upload when filename is blank (before and after
|
||||||
|
|
Loading…
Reference in New Issue