#21231: Limiting the number of variables and files that a POST request can
contain
-------------------------------+--------------------------------------
Reporter: epandurski@… | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Comment (by epandurski@…):
It is a hot potato, isn't it?
I think this problem can be solved using an apache module, but I as far as
I know, none of the standard modules does the job. (I assume mod_security
could be helpful, but I do not know much about mod_security).
I think the problem is much easier to solve in Python/Django than as as a
web-server module, exactly because it is not trivial and needs to allow
flexible settings. I agree that my patch is quite incomplete, and I can
think of other things that should be done as well. But those things are
not very hard to do in python (as you can see, the my patch is trivial).
Another important factor is that web developer as a whole do not
understand those problems, and do not even know that they exists.
Unfortunately, this does not make problems to disappear. Django could lead
the way and promote good security practices.
Think about this simple example scenario: I have to allow users to upload
big files (say 20MB) in my Django app, so I set my "LimitRequestBody" to
20MB. Then suddenly all forms in my Django application should be able to
"swallow" 20MB of url-endoded data without eating up my CPU and memory!
Also, how many uploaded files a 20MB POST request can contain? 200,000
should be a good guess. So, how much memory and CPU will consume the
execution of 200,000 upload-handlers?
I think Django core developers should make a design decision about how to
solve those problems, and what the web developers should be advised to do
about them.
--
Ticket URL: <https://code.djangoproject.com/ticket/21231#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/078.1860e84bd1ff03c335c19e83cf14818a%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.
