From e84dc8715e91d51364ba6bda2b2fb07e7a8b750e Mon Sep 17 00:00:00 2001
From: sammiee5311 <sammiee5311@gmail.com>
Date: Mon, 16 Feb 2026 12:21:03 +0900
Subject: [PATCH] Fixed #36931 -- Handled LookupError in multipart parser for
 invalid RFC 2231 encoding.

Added LookupError to the except clause so invalid headers are silently
skipped, consistent with other malformed header handling.
---
 django/http/multipartparser.py |  2 +-
 tests/requests_tests/tests.py  | 19 +++++++++++++------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index d420c255eb19..b834b8b31b0d 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -726,7 +726,7 @@ def parse_boundary_stream(stream, max_header_size):
             name = header_name.lower().rstrip(" ")
             value, params = parse_header_parameters(value_and_params.lstrip(" "))
             params = {k: v.encode() for k, v in params.items()}
-        except ValueError:  # Invalid header.
+        except (ValueError, LookupError):  # Invalid header.
             continue
 
         if name == "content-disposition":
diff --git a/tests/requests_tests/tests.py b/tests/requests_tests/tests.py
index e52989b0da78..e1744bf18059 100644
--- a/tests/requests_tests/tests.py
+++ b/tests/requests_tests/tests.py
@@ -455,11 +455,18 @@ def test_body_after_POST_multipart_form_data(self):
             request.body
 
     def test_malformed_multipart_header(self):
-        for header in [
-            'Content-Disposition : form-data; name="name"',
-            'Content-Disposition:form-data; name="name"',
-            'Content-Disposition :form-data; name="name"',
-        ]:
+        tests = [
+            ('Content-Disposition : form-data; name="name"', {"name": ["value"]}),
+            ('Content-Disposition:form-data; name="name"', {"name": ["value"]}),
+            ('Content-Disposition :form-data; name="name"', {"name": ["value"]}),
+            # The invalid encoding causes the entire part to be skipped.
+            (
+                'Content-Disposition: form-data; name="name"; '
+                "filename*=BOGUS''test%20file.txt",
+                {},
+            ),
+        ]
+        for header, expected_post in tests:
             with self.subTest(header):
                 payload = FakePayload(
                     "\r\n".join(
@@ -480,7 +487,7 @@ def test_malformed_multipart_header(self):
                         "wsgi.input": payload,
                     }
                 )
-                self.assertEqual(request.POST, {"name": ["value"]})
+                self.assertEqual(request.POST, expected_post)
 
     def test_body_after_POST_multipart_related(self):
         """