Re: [Django] #34742: calling a DELETE endpoint without a trailing slash does not thow RuntimeError in DEBUG mode

[Django]

#34742: calling a DELETE endpoint without a trailing slash does not thow
RuntimeError in DEBUG mode
---------------------------------+--------------------------------------
     Reporter:  pwnage101        |                    Owner:  (none)
         Type:  Bug              |                   Status:  new
    Component:  Error reporting  |                  Version:  4.2
     Severity:  Normal           |               Resolution:
     Keywords:                   |             Triage Stage:  Unreviewed
    Has patch:  1                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+--------------------------------------
Description changed by pwnage101:

Old description:

> Current situation:
>
> If DEBUG mode is enabled, and APPEND_SLASH is set to True, calling a
> standard DRF-generated POST, PUT, or Patch endpoint without a trailing
> slash will result in itentionally raising a RuntimeError in order to warn
> developers that callers must be re-written to include a trailing slash or
> else it the 301 redirect will convert the request into a GET and clear
> the request payload:
>
> https://github.com/pwnage101/django/blob/fbac2a4dd846b52c4f379eacb5bab654fe9540cc/django/middleware/common.py#L86
>
> The problem:
>
> The linked code doesn't also do the same for DELETE, so DELETE calls
> missing trailing slashes are silently converted to GET calls in
> development environments which could result in uncaught bugs in
> production.
>
> I proposed a simple fix:
> https://github.com/django/django/pull/17072/files

New description:

 If DEBUG mode is enabled, and APPEND_SLASH is set to True, calling a
 standard DRF-generated POST, PUT, or PATCH endpoint without a trailing
 slash will result in intentionally raising a RuntimeError in order to warn
 developers that API clients should be fixed to include a trailing slash or
 else the 301 redirect will silently convert the request into a GET and
 clear the request payload:

 
https://github.com/django/django/blob/fbac2a4dd846b52c4f379eacb5bab654fe9540cc/django/middleware/common.py#L86

 The problem:

 The above linked code doesn't also do the same for DELETE, so DELETE calls
 missing trailing slashes are silently converted to GET calls in
 development environments which could result in uncaught bugs in
 production.

 I proposed a simple fix: https://github.com/django/django/pull/17072/files

--

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34742#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701898f10b195-f36a2efd-f3ef-4f49-9d4d-6bdaa0344120-000000%40eu-central-1.amazonses.com.