[Django] #36833: HttpRequest.accepted_types incorrectly splits Accept header on commas inside quoted parameter values

Sat, 27 Dec 2025 06:08:48 -0800 

#36833: HttpRequest.accepted_types incorrectly splits Accept header on commas
inside quoted parameter values
-----------------------------------------+------------------------------
               Reporter:  Naveed Qadir   |          Owner:  Naveed Qadir
                   Type:  Bug            |         Status:  assigned
              Component:  HTTP handling  |        Version:  dev
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  1
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------------
 The `accepted_types` property in `HttpRequest` uses `str.split(",")` to
 parse the Accept header, which incorrectly splits on commas that appear
 inside quoted parameter values.

 == Example ==

 {{{#!python
 # Accept header with quoted parameter containing comma
 header = 'text/plain; param="a,b", application/json'

 # Current behavior (WRONG):
 header.split(",")
 # Returns: ['text/plain; param="a', 'b"', ' application/json']
 # 3 parts - comma inside quotes was incorrectly treated as separator

 # Expected behavior (per RFC 7231):
 # Should return 2 media types:
 # 1. text/plain; param="a,b"
 # 2. application/json
 }}}

 == RFC Reference ==

 RFC 7231 Section 5.3.2 specifies that media-type parameters can contain
 quoted-string values, and RFC 7230 Section 3.2.6 allows commas within
 quoted strings.

 == Proposed Fix ==

 Add a `split_header_words()` helper function to `django/utils/http.py`
 that splits on commas while respecting quoted strings, similar to how
 `_parseparam()` handles semicolons.

 A patch with tests is available.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36833>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019b6023d46e-cf440cfa-35a4-4356-bd27-a69d57054115-000000%40eu-central-1.amazonses.com.

Reply via email to