Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

[1.5.x] Fixed #15152 -- Avoided crash of CommonMiddleware on broken q…

…uerystring

Backport of 973f539 from master.
  • Loading branch information...
commit be6522561f01aa2a0b503fb35f35c9fd34c5110f 1 parent e51a9c0
Aymeric Augustin aaugustin authored
13 django/middleware/common.py
View
@@ -6,6 +6,7 @@
from django import http
from django.core.mail import mail_managers
from django.utils.http import urlquote
+from django.utils import six
from django.core import urlresolvers
@@ -87,7 +88,17 @@ def process_request(self, request):
else:
newurl = urlquote(new_url[1])
if request.META.get('QUERY_STRING', ''):
- newurl += '?' + request.META['QUERY_STRING']
+ if six.PY3:
+ newurl += '?' + request.META['QUERY_STRING']
+ else:
+ # `query_string` is a bytestring. Appending it to the unicode
+ # string `newurl` will fail if it isn't ASCII-only. This isn't
+ # allowed; only broken software generates such query strings.
+ # Better drop the invalid query string than crash (#15152).
+ try:
+ newurl += '?' + request.META['QUERY_STRING'].decode()
+ except UnicodeDecodeError:
+ pass
return http.HttpResponsePermanentRedirect(newurl)
def process_response(self, request, response):
9 tests/regressiontests/middleware/tests.py
View
@@ -294,6 +294,15 @@ def test_404_error_reporting_ignored_url(self):
CommonMiddleware().process_response(request, response)
self.assertEqual(len(mail.outbox), 0)
+ # Other tests
+
+ def test_non_ascii_query_string_does_not_crash(self):
+ """Regression test for #15152"""
+ request = self._get_request('slash')
+ request.META['QUERY_STRING'] = 'drink=café'
+ response = CommonMiddleware().process_request(request)
+ self.assertEqual(response.status_code, 301)
+
class ConditionalGetMiddlewareTest(TestCase):
urls = 'regressiontests.middleware.cond_get_urls'
Please sign in to comment.
Something went wrong with that request. Please try again.