Re: [Django] #34968: MultiPartParser silent large header fields size failures

Mon, 13 Nov 2023 03:29:24 -0800 

#34968: MultiPartParser silent large header fields size failures
-------------------------------+--------------------------------------
     Reporter:  opichals       |                    Owner:  nobody
         Type:  Bug            |                   Status:  new
    Component:  HTTP handling  |                  Version:  4.2
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  1              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Description changed by opichals:

Old description:

> The `MultiPartParser` silently ignores parts of which the http header
> fields exceed 1024 bytes.
>
> This is caused by the 1024 value being hardcoded here
> https://github.com/django/django/blob/main/django/http/multipartparser.py#L743
>
> Here is a common http header fields limits across popular web servers
> (from https://stackoverflow.com/a/60623751/2448773):
>  * Apache - 8K
>  * Nginx - 4K-8K
>  * IIS - 8K-16K
>  * Tomcat - 8K – 48K
>  * Node (<13) - 8K; (>13) - 16K
>
> Also reported at https://stackoverflow.com/questions/70572148/django-
> silently-discarding-uploaded-files-with-long-paths

New description:

 The `MultiPartParser` silently ignores parts of which the http header
 fields exceed 1024 bytes. This causes file uploads to 'ignore' the
 attached file without receiving any type of error or exception.

 This is caused by the 1024 value being hardcoded here
 https://github.com/django/django/blob/main/django/http/multipartparser.py#L743

 Here is a common http header fields limits across popular web servers
 (from https://stackoverflow.com/a/60623751/2448773):
  * Apache - 8K
  * Nginx - 4K-8K
  * IIS - 8K-16K
  * Tomcat - 8K – 48K
  * Node (<13) - 8K; (>13) - 16K

 Also reported at https://stackoverflow.com/questions/70572148/django-
 silently-discarding-uploaded-files-with-long-paths

--

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34968#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018bc871692c-5c24b21e-b693-4249-b38c-7845d7288b86-000000%40eu-central-1.amazonses.com.

Reply via email to