#29323: HTTPRequest QueryDict wrongly decodes binary encoded values
---------------------------------+--------------------------------------
     Reporter:  Thomas Riccardi  |                    Owner:  nobody
         Type:  Bug              |                   Status:  closed
    Component:  HTTP handling    |                  Version:  1.11
     Severity:  Normal           |               Resolution:  wontfix
     Keywords:                   |             Triage Stage:  Unreviewed
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+--------------------------------------

Comment (by Claude Paroz):

 It would be possible to let raw bytes in `QueryDict` when a for value
 cannot be properly decoded (I'll attach a patch doing that). This would
 however change the (tested in
 `handlers.tests.HandlerTests.test_non_ascii_query_string`) behavior when
 Django receive a badly-encoded query string like `url?want=caf%E9`
 (latin-1 encoded instead of utf-8 encoded).
 With the current code, `request.POST['want']` contains `'caf�'` (i.e.
 `'caf\ufffd'`). If we let bytes be bytes, `request.POST['want']` would
 result in the binary `b'caf\xe9'` instead.

 My main concern would be that developers should then add much defensive
 coding every time they access `request.POST` values. Typically, the
 currently valid `request.POST.get('want', '').startswith('caf')` test in a
 view could easily crash by posting specially-crafted values.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/29323#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/073.3ee91b7cf936ca75da99c699cb70e691%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to