Do not treat empty non-form input as HTML. #4566
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
An empty POST body seems to be treated as HTML even though the content type is specified.
Also clarify what the expected validated_data should look like.
…mework into callorico-master
craigds
added a commit
to koordinates/django-rest-framework
that referenced
this pull request
Feb 23, 2017
If a non-required nested list serializer is *not* included in postdata from an HTML form, the field validation nonetheless returns an empty list. This means you can easily clobber existing data when PUTting to an existing resource, just by not including some list fields. This is made worse by DRF treating skipping request parsing for empty input. - encode#3647 and encode#4566 are "fixed" but do not appear to fix the problem; empty JSON posts still skip request parsing, and list fields not included in the post still get set to empty lists.
craigds
added a commit
to koordinates/django-rest-framework
that referenced
this pull request
Feb 24, 2017
If a non-required nested list serializer is *not* included in postdata from an HTML form, the field validation nonetheless returns an empty list. This means you can easily clobber existing data when PUTting to an existing resource, just by not including some list fields. This is made worse by DRF treating skipping request parsing for empty input. - encode#3647 and encode#4566 are "fixed" but do not appear to fix the problem; empty JSON posts still skip request parsing, and list fields not included in the post still get set to empty lists.
|
Hi, @tomchristie is this line correct? 5677d06#diff-6dc9b019ec1d96c56e0e31dac3bba51cR302 This line of code was added at this pull request, therefore I am asking here. if media_type and not is_form_media_type(media_type):
empty_data = QueryDict('', encoding=self._request._encoding)
else:
empty_data = {}I suppose returning QueryDict should be only for form data type, not for anyone other. In my case I was sending empty request with content-type application/json and received immutable QueryDict(). Is this correct? |
craigds
added a commit
to koordinates/django-rest-framework
that referenced
this pull request
May 9, 2018
If a non-required nested list serializer is *not* included in postdata from an HTML form, the field validation nonetheless returns an empty list. This means you can easily clobber existing data when PUTting to an existing resource, just by not including some list fields. This is made worse by DRF treating skipping request parsing for empty input. - encode#3647 and encode#4566 are "fixed" but do not appear to fix the problem; empty JSON posts still skip request parsing, and list fields not included in the post still get set to empty lists.
craigds
added a commit
to koordinates/django-rest-framework
that referenced
this pull request
May 9, 2018
If a non-required nested list serializer is *not* included in postdata from an HTML form, the field validation nonetheless returns an empty list. This means you can easily clobber existing data when PUTting to an existing resource, just by not including some list fields. This is made worse by DRF treating skipping request parsing for empty input. - encode#3647 and encode#4566 are "fixed" but do not appear to fix the problem; empty JSON posts still skip request parsing, and list fields not included in the post still get set to empty lists.
craigds
added a commit
to koordinates/django-rest-framework
that referenced
this pull request
Jun 14, 2018
If a non-required nested list serializer is *not* included in postdata from an HTML form, the field validation nonetheless returns an empty list. This means you can easily clobber existing data when PUTting to an existing resource, just by not including some list fields. This is made worse by DRF treating skipping request parsing for empty input. - encode#3647 and encode#4566 are "fixed" but do not appear to fix the problem; empty JSON posts still skip request parsing, and list fields not included in the post still get set to empty lists.
craigds
added a commit
to koordinates/django-rest-framework
that referenced
this pull request
Jun 14, 2018
If a non-required nested list serializer is *not* included in postdata from an HTML form, the field validation nonetheless returns an empty list. This means you can easily clobber existing data when PUTting to an existing resource, just by not including some list fields. This is made worse by DRF treating skipping request parsing for empty input. - encode#3647 and encode#4566 are "fixed" but do not appear to fix the problem; empty JSON posts still skip request parsing, and list fields not included in the post still get set to empty lists.
craigds
added a commit
to koordinates/django-rest-framework
that referenced
this pull request
Jun 14, 2018
If a non-required nested list serializer is *not* included in postdata from an HTML form, the field validation nonetheless returns an empty list. This means you can easily clobber existing data when PUTting to an existing resource, just by not including some list fields. This is made worse by DRF treating skipping request parsing for empty input. - encode#3647 and encode#4566 are "fixed" but do not appear to fix the problem; empty JSON posts still skip request parsing, and list fields not included in the post still get set to empty lists.
hamishcampbell
pushed a commit
to koordinates/django-rest-framework
that referenced
this pull request
Oct 8, 2018
If a non-required nested list serializer is *not* included in postdata from an HTML form, the field validation nonetheless returns an empty list. This means you can easily clobber existing data when PUTting to an existing resource, just by not including some list fields. This is made worse by DRF treating skipping request parsing for empty input. - encode#3647 and encode#4566 are "fixed" but do not appear to fix the problem; empty JSON posts still skip request parsing, and list fields not included in the post still get set to empty lists.
peterthomassen
added a commit
to peterthomassen/django-rest-framework
that referenced
this pull request
Feb 17, 2020
This allows views to distinguish missing payload from empty payload. Related: encode#3647, encode#4566
peterthomassen
added a commit
to peterthomassen/django-rest-framework
that referenced
this pull request
Feb 20, 2020
This allows views to distinguish missing payload from empty payload. Related: encode#3647, encode#4566
peterthomassen
added a commit
to peterthomassen/django-rest-framework
that referenced
this pull request
Feb 24, 2020
This allows views to distinguish missing payload from empty payload. Related: encode#3647, encode#4566
craigds
added a commit
to koordinates/django-rest-framework
that referenced
this pull request
Jun 1, 2021
If a non-required nested list serializer is *not* included in postdata from an HTML form, the field validation nonetheless returns an empty list. This means you can easily clobber existing data when PUTting to an existing resource, just by not including some list fields. This is made worse by DRF treating skipping request parsing for empty input. - encode#3647 and encode#4566 are "fixed" but do not appear to fix the problem; empty JSON posts still skip request parsing, and list fields not included in the post still get set to empty lists.
peterthomassen
added a commit
to peterthomassen/django-rest-framework
that referenced
this pull request
Jun 18, 2021
This allows views to distinguish missing payload from empty payload. Related: encode#3647, encode#4566
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
HTML form input has slightly differing behavior than non-form input. In particular any empty BooleanField is treated as
Falseby default, because empty checkboxes do not send any value through.For the case where no data is included in the request body we shouldn't treat this as an HTML input, unless a form content type has been explicitly included. (nb. have confirmed that at least chrome still includes the form content type with 0 length body in the case of submitting a form with a single empty checkbox.)
Refs. #3649
Closes #3891 - thanks for your work @callorico! 😄
Closes #3892
Closes #3647
This change isn't perfect, but it is the most minimal change that we can make in order to fix the main issue. (BooleanField treated as True for empty input)
Other options would have been:
Nonesentinel for non-form data. (but don't want to go that way because it'd play less well with Django's existing behavior, and could easily break existing codebases)Content-Type application/jsonregardless of if a body is included or not, and we don't want to fail for all of them.)