mirror of
				https://github.com/django/django.git
				synced 2025-10-26 15:16:09 +00:00 
			
		
		
		
	[1.8.x] Fixed #24209 -- Prevented crash when parsing malformed RFC 2231 headers
Thanks Tom Christie for the report and review.
Backport of ac650d02cb from master.
			
			
This commit is contained in:
		
				
					committed by
					
						 Claude Paroz
						Claude Paroz
					
				
			
			
				
	
			
			
			
						parent
						
							29fa0e3c66
						
					
				
				
					commit
					7cc1b4710e
				
			| @@ -643,7 +643,8 @@ def parse_header(line): | ||||
|                 # Lang/encoding embedded in the value (like "filename*=UTF-8''file.ext") | ||||
|                 # http://tools.ietf.org/html/rfc2231#section-4 | ||||
|                 name = name[:-1] | ||||
|                 has_encoding = True | ||||
|                 if p.count(b"'") == 2: | ||||
|                     has_encoding = True | ||||
|             value = p[i + 1:].strip() | ||||
|             if has_encoding: | ||||
|                 encoding, lang, value = value.split(b"'") | ||||
|   | ||||
| @@ -584,3 +584,20 @@ class MultiParserTests(unittest.TestCase): | ||||
|         for raw_line, expected_title in test_data: | ||||
|             parsed = parse_header(raw_line) | ||||
|             self.assertEqual(parsed[1]['title'], expected_title) | ||||
|  | ||||
|     def test_rfc2231_wrong_title(self): | ||||
|         """ | ||||
|         Test wrongly formatted RFC 2231 headers (missing double single quotes). | ||||
|         Parsing should not crash (#24209). | ||||
|         """ | ||||
|         test_data = ( | ||||
|             (b"Content-Type: application/x-stuff; title*='This%20is%20%2A%2A%2Afun%2A%2A%2A", | ||||
|              b"'This%20is%20%2A%2A%2Afun%2A%2A%2A"), | ||||
|             (b"Content-Type: application/x-stuff; title*='foo.html", | ||||
|              b"'foo.html"), | ||||
|             (b"Content-Type: application/x-stuff; title*=bar.html", | ||||
|              b"bar.html"), | ||||
|         ) | ||||
|         for raw_line, expected_title in test_data: | ||||
|             parsed = parse_header(raw_line) | ||||
|             self.assertEqual(parsed[1]['title'], expected_title) | ||||
|   | ||||
		Reference in New Issue
	
	Block a user