| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-05-05 | Fixed #37053 -- Added validate=True to base64.b64decode() calls. | Sarah Boyce | |
| 2026-04-07 | Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser. | Natalia | |
| When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch. | |||
| 2026-02-24 | Fixed #36931 -- Handled LookupError in multipart parser for invalid RFC 2231 ↵ | sammiee5311 | |
| encoding. Added LookupError to the except clause so invalid headers are silently skipped, consistent with other malformed header handling. | |||
| 2025-08-28 | Refs #36520 -- Ensured only the header value is passed to ↵ | Jake Howard | |
| parse_header_parameters for multipart requests. Header parsing should apply only to the header value. The previous implementation happened to work but relied on unintended behavior. | |||
| 2025-07-23 | Refs #36500 -- Rewrapped long docstrings and block comments via a script. | django-bot | |
| Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. | |||
| 2025-07-23 | Refs #36500 -- Shortened some long docstrings and comments. | Mike Edmunds | |
| Manually reformatted some long docstrings and comments that would be damaged by the to-be-applied autofixer script, in cases where editorial judgment seemed necessary for style or wording changes. | |||
| 2025-03-31 | Refs #28909 -- Simplified code using unpacking generalizations. | Aarni Koskela | |
| 2024-01-26 | Applied Black's 2024 stable style. | Mariusz Felisiak | |
| https://github.com/psf/black/releases/tag/24.1.0 | |||
| 2023-11-24 | Fixed #34968 -- Made multipart parsing of headers raise an error on too long ↵ | Standa Opichal | |
| headers. This also allow customizing the maximum size of headers via MAX_TOTAL_HEADER_SIZE. | |||
| 2023-02-14 | Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files. | Markus Holtermann | |
| Thanks to Jakob Ackermann for the report. | |||
| 2022-11-10 | Updated documentation and comments for RFC updates. | Nick Pope | |
| - Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents | |||
| 2022-06-28 | Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing ↵ | Mehrdad | |
| boundary streams. This also removes unused parse_header() and _parse_header_params() helpers in django.http.multipartparser. | |||
| 2022-06-28 | Removed unnecessary _parse_header() from MultiPartParser. | Mariusz Felisiak | |
| Reraising ValueError was unused since its introduction in d725cc9734272f867d41f7236235c28b3931a1b2. | |||
| 2022-06-03 | Refs #33697 -- Made MultiPartParser use ↵ | Mehrdad | |
| django.utils.http.parse_header_parameters() for parsing Content-Type header. | |||
| 2022-06-01 | Refs #33697 -- Fixed multipart parsing of headers with double quotes and ↵ | Mehrdad | |
| semicolons. See https://github.com/python/cpython/commit/1ef0c0349e8fdb5415e21231cb42edbf232b742a | |||
| 2022-05-11 | Refs #33173 -- Removed use of deprecated cgi module. | Carlton Gibson | |
| https://peps.python.org/pep-0594/#cgi | |||
| 2022-02-07 | Refs #33476 -- Refactored code to strictly match 88 characters line length. | Mariusz Felisiak | |
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2022-02-01 | Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. | Mariusz Felisiak | |
| Thanks Alan Ryan for the report and initial patch. | |||
| 2022-01-20 | Fixed #33062 -- Made MultiPartParser remove non-printable chars from file names. | Hrushikesh Vaidya | |
| 2021-12-02 | Updated various links to HTTPS and new locations. | Mariusz Felisiak | |
| Co-Authored-By: Nick Pope <nick@nickpope.me.uk> | |||
| 2021-05-04 | Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. | Florian Apolloner | |
| 2021-04-06 | Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files. | Mariusz Felisiak | |
| Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report. | |||
| 2020-09-30 | Fixed #30422 -- Made TemporaryFileUploadHandler handle interrupted uploads. | aryan | |
| This patch allows upload handlers to handle interrupted uploads. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2020-06-11 | Fixed #28132 -- Made MultiPartParser ignore filenames with trailing slash. | Michael Brown | |
| 2020-02-28 | Fixed #31293 -- Allowed MultiPartParser to handle double-quoted encoded headers. | 007 | |
| 2019-05-08 | Refs #27753 -- Deprecated django.utils.text.unescape_entities(). | Jon Dufresne | |
| The function was undocumented and only required for compatibility with Python 2. Code should use Python's html.unescape() that was added in Python 3.4. | |||
| 2019-04-24 | Removed unnecessary assignments in various code. | Jon Dufresne | |
| 2019-03-02 | Refs #30227 -- Added helpful message for non-ASCII Content-Type in mulitpart ↵ | Tim Graham | |
| request. | |||
| 2019-03-02 | Fixed #30227 -- Fixed crash on request without boundary in Content-Type. | Tim Graham | |
| 2019-02-14 | Optimized iterator exhaustion using collections.deque(). | Nick Pope | |
| 2019-02-06 | Refs #27753 -- Favored force/smart_str() over force/smart_text(). | Aymeric Augustin | |
| 2017-12-26 | Fixed #28930 -- Simplified code with any() and all(). | Дилян Палаузов | |
| 2017-09-22 | Removed unused eof argument to BoundaryIter._find_boundary(). | Mariusz Felisiak | |
| Unused since its introduction in d725cc9734272f867d41f7236235c28b3931a1b2. | |||
| 2017-05-27 | Fixed #28226 -- Replaced use of str.join() with concatenation. | Tom | |
| 2017-02-20 | Refs #27656 -- Updated django.forms/http docstring verbs according to PEP 257. | Anton Samarchyan | |
| 2017-02-17 | Fixed #27308 -- Fixed BytesWarnings in the test suite. | Tim Graham | |
| 2017-01-26 | Refs #23919, #27778 -- Removed obsolete mentions of unicode. | Vytis Banaitis | |
| 2017-01-25 | Corrected http.multipartparser.exhaust() docstring. | Tim Graham | |
| MultiPartParserError was removed in ebf34c3cdcd2c75349c60a064427ac255958bf9b. | |||
| 2017-01-25 | Removed unused variables that are overwritten. | Mads Jensen | |
| 2017-01-22 | Refs #23919 -- Replaced six.reraise by raise | Claude Paroz | |
| 2017-01-19 | Refs #23919 -- Stopped inheriting from object to define new style classes. | Simon Charette | |
| 2017-01-18 | Refs #23919 -- Removed most of remaining six usage | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2017-01-18 | Refs #23919 -- Removed six.<various>_types usage | Claude Paroz | |
| Thanks Tim Graham and Simon Charette for the reviews. | |||
| 2017-01-18 | Refs #23919 -- Removed six.PY2/PY3 usage | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2017-01-18 | Refs #23919 -- Removed encoding preambles and future imports | Claude Paroz | |
| 2016-12-07 | Refs #17235 -- Made MultiPartParser leave request.POST immutable. | Vinay Karanam | |
| 2016-11-14 | Fixed E305 flake8 warnings. | Ramin Farajpour Cami | |
| 2016-06-05 | Fixed comment typo in multiparser.py | Jon Dufresne | |
| 2016-06-04 | Made style improvements to multipartparser.py | Asif Saifuddin Auvi | |
