From 41ff30f6f9d072036be1f74db8f0c8b21565299f Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 20 Aug 2025 16:04:48 +0100
Subject: Refs #36520 -- Ensured only the header value is passed to
 parse_header_parameters for multipart requests.

Header parsing should apply only to the header value. The previous
implementation happened to work but relied on unintended behavior.
---
 django/http/multipartparser.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'django/http/multipartparser.py')

diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index 531f9a0468..d420c255eb 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -721,11 +721,10 @@ def parse_boundary_stream(stream, max_header_size):
 
     # Eliminate blank lines
     for line in header.split(b"\r\n"):
-        # This terminology ("main value" and "dictionary of
-        # parameters") is from the Python docs.
         try:
-            main_value_pair, params = parse_header_parameters(line.decode())
-            name, value = main_value_pair.split(":", 1)
+            header_name, value_and_params = line.decode().split(":", 1)
+            name = header_name.lower().rstrip(" ")
+            value, params = parse_header_parameters(value_and_params.lstrip(" "))
             params = {k: v.encode() for k, v in params.items()}
         except ValueError:  # Invalid header.
             continue
-- 
cgit v1.3