Re: [Django] #21231: Limiting the number of variables and files that a POST request can contain

[Django]

#21231: Limiting the number of variables and files that a POST request can 
contain
-------------------------------+--------------------------------------
     Reporter:  epandurski@…   |                    Owner:  nobody
         Type:  New feature    |                   Status:  new
    Component:  HTTP handling  |                  Version:  master
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------

Comment (by zerok):

 I agree that these settings would be nice, but I agree with Aymeric et al.
 that Django is perhaps not the best place for it. Since we are talking
 about a memory sizing issue it would be preferable to stop processing such
 requests as early as possible. Since Django is usually situated at or
 close to the end of the request processing chain, something before it
 handling this issue would be preferable. I totally understand that Apache
 usually is not expected to the deep-request-inspection but at the least
 the application server should be able to do that. Going down to the
 application framework or the application itself for something like that
 should be only a last resort.

 As reference from other environments, Tomcat has a maxParameterCount [#p1
 (1)]. Gunicorn offers something similar but sadly only for headers [#p2
 (2)]. Regarding the number of file-parts, this is something mod_security
 already offers [#p3 (3)].

 [=#p1 (1)]  http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
 [=#p2 (2)] http://docs.gunicorn.org/en/latest/configure.html#limit-
 request-fields
 [=#p3 (3)] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
 #wiki-SecUploadFileLimit

-- 
Ticket URL: <https://code.djangoproject.com/ticket/21231#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/078.b3db6e05436d978cb9992d6949d466ba%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.