summaryrefslogtreecommitdiff
path: root/django/http/multipartparser.py
AgeCommit message (Collapse)Author
2026-04-07Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.Natalia
When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch.
2026-02-24Fixed #36931 -- Handled LookupError in multipart parser for invalid RFC 2231 ↵sammiee5311
encoding. Added LookupError to the except clause so invalid headers are silently skipped, consistent with other malformed header handling.
2025-08-28Refs #36520 -- Ensured only the header value is passed to ↵Jake Howard
parse_header_parameters for multipart requests. Header parsing should apply only to the header value. The previous implementation happened to work but relied on unintended behavior.
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Refs #36500 -- Shortened some long docstrings and comments.Mike Edmunds
Manually reformatted some long docstrings and comments that would be damaged by the to-be-applied autofixer script, in cases where editorial judgment seemed necessary for style or wording changes.
2025-03-31Refs #28909 -- Simplified code using unpacking generalizations.Aarni Koskela
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-11-24Fixed #34968 -- Made multipart parsing of headers raise an error on too long ↵Standa Opichal
headers. This also allow customizing the maximum size of headers via MAX_TOTAL_HEADER_SIZE.
2023-02-14Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.Markus Holtermann
Thanks to Jakob Ackermann for the report.
2022-11-10Updated documentation and comments for RFC updates.Nick Pope
- Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents
2022-06-28Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing ↵Mehrdad
boundary streams. This also removes unused parse_header() and _parse_header_params() helpers in django.http.multipartparser.
2022-06-28Removed unnecessary _parse_header() from MultiPartParser.Mariusz Felisiak
Reraising ValueError was unused since its introduction in d725cc9734272f867d41f7236235c28b3931a1b2.
2022-06-03Refs #33697 -- Made MultiPartParser use ↵Mehrdad
django.utils.http.parse_header_parameters() for parsing Content-Type header.
2022-06-01Refs #33697 -- Fixed multipart parsing of headers with double quotes and ↵Mehrdad
semicolons. See https://github.com/python/cpython/commit/1ef0c0349e8fdb5415e21231cb42edbf232b742a
2022-05-11Refs #33173 -- Removed use of deprecated cgi module.Carlton Gibson
https://peps.python.org/pep-0594/#cgi
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2022-02-01Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.Mariusz Felisiak
Thanks Alan Ryan for the report and initial patch.
2022-01-20Fixed #33062 -- Made MultiPartParser remove non-printable chars from file names.Hrushikesh Vaidya
2021-12-02Updated various links to HTTPS and new locations.Mariusz Felisiak
Co-Authored-By: Nick Pope <nick@nickpope.me.uk>
2021-05-04Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.Florian Apolloner
2021-04-06Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.Mariusz Felisiak
Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report.
2020-09-30Fixed #30422 -- Made TemporaryFileUploadHandler handle interrupted uploads.aryan
This patch allows upload handlers to handle interrupted uploads. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-06-11Fixed #28132 -- Made MultiPartParser ignore filenames with trailing slash.Michael Brown
2020-02-28Fixed #31293 -- Allowed MultiPartParser to handle double-quoted encoded headers.007
2019-05-08Refs #27753 -- Deprecated django.utils.text.unescape_entities().Jon Dufresne
The function was undocumented and only required for compatibility with Python 2. Code should use Python's html.unescape() that was added in Python 3.4.
2019-04-24Removed unnecessary assignments in various code.Jon Dufresne
2019-03-02Refs #30227 -- Added helpful message for non-ASCII Content-Type in mulitpart ↵Tim Graham
request.
2019-03-02Fixed #30227 -- Fixed crash on request without boundary in Content-Type.Tim Graham
2019-02-14Optimized iterator exhaustion using collections.deque().Nick Pope
2019-02-06Refs #27753 -- Favored force/smart_str() over force/smart_text().Aymeric Augustin
2017-12-26Fixed #28930 -- Simplified code with any() and all().Дилян Палаузов
2017-09-22Removed unused eof argument to BoundaryIter._find_boundary().Mariusz Felisiak
Unused since its introduction in d725cc9734272f867d41f7236235c28b3931a1b2.
2017-05-27Fixed #28226 -- Replaced use of str.join() with concatenation.Tom
2017-02-20Refs #27656 -- Updated django.forms/http docstring verbs according to PEP 257.Anton Samarchyan
2017-02-17Fixed #27308 -- Fixed BytesWarnings in the test suite.Tim Graham
2017-01-26Refs #23919, #27778 -- Removed obsolete mentions of unicode.Vytis Banaitis
2017-01-25Corrected http.multipartparser.exhaust() docstring.Tim Graham
MultiPartParserError was removed in ebf34c3cdcd2c75349c60a064427ac255958bf9b.
2017-01-25Removed unused variables that are overwritten.Mads Jensen
2017-01-22Refs #23919 -- Replaced six.reraise by raiseClaude Paroz
2017-01-19Refs #23919 -- Stopped inheriting from object to define new style classes.Simon Charette
2017-01-18Refs #23919 -- Removed most of remaining six usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed six.<various>_types usageClaude Paroz
Thanks Tim Graham and Simon Charette for the reviews.
2017-01-18Refs #23919 -- Removed six.PY2/PY3 usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-12-07Refs #17235 -- Made MultiPartParser leave request.POST immutable.Vinay Karanam
2016-11-14Fixed E305 flake8 warnings.Ramin Farajpour Cami
2016-06-05Fixed comment typo in multiparser.pyJon Dufresne
2016-06-04Made style improvements to multipartparser.pyAsif Saifuddin Auvi
2016-05-12Fixed #21231 -- Enforced a max size for GET/POST values read into memory.Andre Cruz
Thanks Tom Christie for review.