Re: [Django] #34968: MultiPartParser silent large header fields size failures

Mon, 13 Nov 2023 03:41:02 -0800 

#34968: MultiPartParser silent large header fields size failures
-------------------------------+--------------------------------------
     Reporter:  opichals       |                    Owner:  nobody
         Type:  Bug            |                   Status:  new
    Component:  HTTP handling  |                  Version:  4.2
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  1              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------

Comment (by opichals):

 > I wonder how niche your use case is as it has worked this way since the
 beginning (d725cc9734272f867d41f7236235c28b3931a1b2).

 Indeed. We have seen it in production where our client had tried to upload
 files using Postman which includes also the unicode version of Content-
 Disposition filename which was more than 240 characters long effectively
 doubling the size of the header line itself which made it fail:
 {{{
 Content-Disposition: form-data; name="content"; filename="test.txt"
 filename*=UTF-8'test.txt'
 }}}

 > Maybe we could use a module constant for this 🤔 e.g.
 django.http.multipartparser.MAX_HTTP_HEADER_LENGTH and set it initially to
 1024.

 Of course, going to adjust the PR.

 The name you're proposing seems like it could be confused with a single
 header line length limit.
 What about `django.http.multipartparser.MAX_TOTAL_HEADER_SIZE` (taken from
 https://github.com/openstack-archive/deb-python-
 eventlet/blob/master/eventlet/wsgi.py and also
 https://support.oracle.com/knowledge/Middleware/2302288_1.html)?

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34968#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018bc87c0d18-3a1f490a-f2e1-4d77-9572-ab951c524d80-000000%40eu-central-1.amazonses.com.

Reply via email to