Re: [Django] #21231: Limiting the number of variables and files that a POST request can contain

[Django]

#21231: Limiting the number of variables and files that a POST request can 
contain
-------------------------------+------------------------------------
     Reporter:  epandurski@…   |                    Owner:  nobody
         Type:  New feature    |                   Status:  new
    Component:  HTTP handling  |                  Version:  master
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------

Comment (by apollo13):

 Replying to [comment:20 epandurski@…]:
 > 1) LimitRequestBody's context is "server config".
 "FORM_DATA_MAX_FIELDS_TOTAL_LENGTH" is specific to the web-application.
 There might be many different applications running on one server, doing
 different CPU/memory intensive stuff.

 `LimitRequestBody` can be set per file/location/vhost etc, so that
 wouldn't count

 > 2) FORM_DATA_MAX_FIELDS_TOTAL_LENGTH is only about "application/x-www-
 form-urlencoded" and "multipart/form-data" MIME types, which I believe are
 the only MIME types which content django may decide to load into memory
 (is that correct?). Notice that somebody may want to allow POST-ing other
 MIME-types of big data, and yet have his/her django web-application
 protected from DoS attacks.

 I might be wrong here: But if my app allows file uploads and I set this
 value to be equivalent to 1GB (I have big files ;)) I could still easily
 DOS the server; in my opinion it would make more sense if that would limit
 post data excluding file data.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/21231#comment:21>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/078.034c237c35c3aafcf8ee0dbb69cfd84c%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.