Fixed #36931 -- Handled LookupError in multipart parser for invalid RFC 2231 encoding.

sammiee5311 · jacobtylerwalls · commit e84dc8715e91 · 2026-02-24T13:44:42.000-05:00
Added LookupError to the except clause so invalid headers are silently
skipped, consistent with other malformed header handling.
diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
@@ -726,7 +726,7 @@ def parse_boundary_stream(stream, max_header_size):
             name = header_name.lower().rstrip(" ")
             value, params = parse_header_parameters(value_and_params.lstrip(" "))
             params = {k: v.encode() for k, v in params.items()}
-        except ValueError:  # Invalid header.
+        except (ValueError, LookupError):  # Invalid header.
             continue
 
         if name == "content-disposition":
diff --git a/tests/requests_tests/tests.py b/tests/requests_tests/tests.py
@@ -455,11 +455,18 @@ def test_body_after_POST_multipart_form_data(self):
             request.body
 
     def test_malformed_multipart_header(self):
-        for header in [
-            'Content-Disposition : form-data; name="name"',
-            'Content-Disposition:form-data; name="name"',
-            'Content-Disposition :form-data; name="name"',
-        ]:
+        tests = [
+            ('Content-Disposition : form-data; name="name"', {"name": ["value"]}),
+            ('Content-Disposition:form-data; name="name"', {"name": ["value"]}),
+            ('Content-Disposition :form-data; name="name"', {"name": ["value"]}),
+            # The invalid encoding causes the entire part to be skipped.
+            (
+                'Content-Disposition: form-data; name="name"; '
+                "filename*=BOGUS''test%20file.txt",
+                {},
+            ),
+        ]
+        for header, expected_post in tests:
             with self.subTest(header):
                 payload = FakePayload(
                     "\r\n".join(
@@ -480,7 +487,7 @@ def test_malformed_multipart_header(self):
                         "wsgi.input": payload,
                     }
                 )
-                self.assertEqual(request.POST, {"name": ["value"]})
+                self.assertEqual(request.POST, expected_post)
 
     def test_body_after_POST_multipart_related(self):
         """
