Re: [Django] #21231: Limiting the number of variables and files that a POST request can contain

Tue, 04 Feb 2014 03:33:24 -0800 

#21231: Limiting the number of variables and files that a POST request can 
contain
-------------------------------+------------------------------------
     Reporter:  epandurski@…   |                    Owner:  nobody
         Type:  New feature    |                   Status:  new
    Component:  HTTP handling  |                  Version:  master
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------

Comment (by edevil):

 I just like to add that the fact that Django does not deal well with large
 form fields or multipart parts is an unexpected behaviour. Looking at the
 file upload features one would think that Django could cope well in use
 cases where we want to receive large file uploads, and so have our web
 server configured to allow large request bodies. In the case of
 "application/x-www-form-urlencoded" requests, large bodies should not be
 expected and normally we can filter them at the web server. But "multipart
 /form-data" requests are processed by the application, since we want to
 allow large FILE parts but not large FIELD parts, and it so it is there
 that safety measures need to be.

 I know of several other sites that use Django, process large file uploads,
 which are susceptible to this issue. I've contacted the developers and
 they were indeed just as surprised as I was by this "feature" which I
 consider a security problem.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/21231#comment:23>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/078.5c9c0c70f1cdec8bbb5c0e205700973a%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to