#34968: MultiPartParser silent large header fields size failures -------------------------------+-------------------------------------- Reporter: opichals | Owner: nobody Type: Bug | Status: new Component: HTTP handling | Version: 4.2 Severity: Normal | Resolution: Keywords: | Triage Stage: Unreviewed Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+--------------------------------------
Comment (by opichals): > I wonder how niche your use case is as it has worked this way since the beginning (d725cc9734272f867d41f7236235c28b3931a1b2). Indeed. We have seen it in production where our client had tried to upload files using Postman which includes also the unicode version of Content- Disposition filename which was more than 240 characters long effectively doubling the size of the header line itself which made it fail: {{{ Content-Disposition: form-data; name="content"; filename="test.txt" filename*=UTF-8'test.txt' }}} > Maybe we could use a module constant for this 🤔 e.g. django.http.multipartparser.MAX_HTTP_HEADER_LENGTH and set it initially to 1024. Of course, going to adjust the PR. The name you're proposing seems like it could be confused with a single header line length limit. What about `django.http.multipartparser.MAX_TOTAL_HEADER_SIZE` (taken from https://github.com/openstack-archive/deb-python- eventlet/blob/master/eventlet/wsgi.py and also https://support.oracle.com/knowledge/Middleware/2302288_1.html)? -- Ticket URL: <https://code.djangoproject.com/ticket/34968#comment:4> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/0107018bc87c0d18-3a1f490a-f2e1-4d77-9572-ab951c524d80-000000%40eu-central-1.amazonses.com.