#21231: Limiting the number of variables and files that a POST request can contain -------------------------------+------------------------------------ Reporter: epandurski@… | Owner: nobody Type: New feature | Status: new Component: HTTP handling | Version: master Severity: Normal | Resolution: Keywords: | Triage Stage: Accepted Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+------------------------------------
Comment (by edevil): I just like to add that the fact that Django does not deal well with large form fields or multipart parts is an unexpected behaviour. Looking at the file upload features one would think that Django could cope well in use cases where we want to receive large file uploads, and so have our web server configured to allow large request bodies. In the case of "application/x-www-form-urlencoded" requests, large bodies should not be expected and normally we can filter them at the web server. But "multipart /form-data" requests are processed by the application, since we want to allow large FILE parts but not large FIELD parts, and it so it is there that safety measures need to be. I know of several other sites that use Django, process large file uploads, which are susceptible to this issue. I've contacted the developers and they were indeed just as surprised as I was by this "feature" which I consider a security problem. -- Ticket URL: <https://code.djangoproject.com/ticket/21231#comment:23> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/078.5c9c0c70f1cdec8bbb5c0e205700973a%40djangoproject.com. For more options, visit https://groups.google.com/groups/opt_out.