#29323: HTTPRequest QueryDict wrongly decodes binary encoded values
---------------------------------+--------------------------------------
Reporter: Thomas Riccardi | Owner: nobody
Type: Bug | Status: closed
Component: HTTP handling | Version: 1.11
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------------------------
Comment (by Claude Paroz):
It would be possible to let raw bytes in `QueryDict` when a for value
cannot be properly decoded (I'll attach a patch doing that). This would
however change the (tested in
`handlers.tests.HandlerTests.test_non_ascii_query_string`) behavior when
Django receive a badly-encoded query string like `url?want=caf%E9`
(latin-1 encoded instead of utf-8 encoded).
With the current code, `request.POST['want']` contains `'caf�'` (i.e.
`'caf\ufffd'`). If we let bytes be bytes, `request.POST['want']` would
result in the binary `b'caf\xe9'` instead.
My main concern would be that developers should then add much defensive
coding every time they access `request.POST` values. Typically, the
currently valid `request.POST.get('want', '').startswith('caf')` test in a
view could easily crash by posting specially-crafted values.
--
Ticket URL: <https://code.djangoproject.com/ticket/29323#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/073.3ee91b7cf936ca75da99c699cb70e691%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
