Refs #36520 -- Ensured only the header value is passed to parse_header_parameters for multipart requests.

RealOrangeOne · nessita · commit 41ff30f6f9d0 · 2025-08-28T14:25:36.000-03:00
Header parsing should apply only to the header value. The previous
implementation happened to work but relied on unintended behavior.
diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
@@ -721,11 +721,10 @@ def parse_boundary_stream(stream, max_header_size):
 
     # Eliminate blank lines
     for line in header.split(b"\r\n"):
-        # This terminology ("main value" and "dictionary of
-        # parameters") is from the Python docs.
         try:
-            main_value_pair, params = parse_header_parameters(line.decode())
-            name, value = main_value_pair.split(":", 1)
+            header_name, value_and_params = line.decode().split(":", 1)
+            name = header_name.lower().rstrip(" ")
+            value, params = parse_header_parameters(value_and_params.lstrip(" "))
             params = {k: v.encode() for k, v in params.items()}
         except ValueError:  # Invalid header.
             continue
diff --git a/tests/requests_tests/tests.py b/tests/requests_tests/tests.py
@@ -450,6 +450,34 @@ def test_body_after_POST_multipart_form_data(self):
         with self.assertRaises(RawPostDataException):
             request.body
 
+    def test_malformed_multipart_header(self):
+        for header in [
+            'Content-Disposition : form-data; name="name"',
+            'Content-Disposition:form-data; name="name"',
+            'Content-Disposition :form-data; name="name"',
+        ]:
+            with self.subTest(header):
+                payload = FakePayload(
+                    "\r\n".join(
+                        [
+                            "--boundary",
+                            header,
+                            "",
+                            "value",
+                            "--boundary--",
+                        ]
+                    )
+                )
+                request = WSGIRequest(
+                    {
+                        "REQUEST_METHOD": "POST",
+                        "CONTENT_TYPE": "multipart/form-data; boundary=boundary",
+                        "CONTENT_LENGTH": len(payload),
+                        "wsgi.input": payload,
+                    }
+                )
+                self.assertEqual(request.POST, {"name": ["value"]})
+
     def test_body_after_POST_multipart_related(self):
         """
         Reading body after parsing multipart that isn't form-data is allowed
