#35289: Chunked transfer encoding is not handled correctly by MultiPartParser -------------------------------------+------------------------------------- Reporter: Kyle Agronick | Owner: nobody Type: Bug | Status: new Component: HTTP handling | Version: dev Severity: Normal | Resolution: Keywords: transfer-encoding, | Triage Stage: Accepted chunked, multi-part | Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+------------------------------------- Comment (by Kyle Agronick):
I can make a patch. There are a few ways to fix this. I think the best way should be a new upload file handler that is the default which uses `SpooledTemporaryFile` so it can cleanly fall back if there is too much data while being fast for small requests. I think we also need to check `DATA_UPLOAD_MAX_MEMORY_SIZE` as we are reading the stream into the temp file and throw a `SuspiciousOperation` if we read too much. Looking at the docs it seems `FILE_UPLOAD_MAX_MEMORY_SIZE` and `DATA_UPLOAD_MAX_MEMORY_SIZE` are named similarly but one controls if we write to disk and one controls if we abort the request. That is a bit ambitious considering I've never contributed to Django and would probably require deprecating the current handlers. If we don't want to do the ambitious approach, the check in `MemoryFileUploadHandler` that does `self.activated = content_length <= settings.FILE_UPLOAD_MAX_MEMORY_SIZE` could be `self.activated = content_length and content_length <= settings.FILE_UPLOAD_MAX_MEMORY_SIZE` and cause all requests that don't have a content-length to fall back to `TemporaryFileUploadHandler` in the default configuration. That would mean `MemoryFileUploadHandler` won't work with chunked transfer-encoding without a content-length. Perhaps add a note in the docs since reading an unspecified content-length into memory is dangerous anyways. Thoughts? -- Ticket URL: <https://code.djangoproject.com/ticket/35289#comment:10> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/0107018e521de332-7c8a59c5-6f3c-4502-aebf-ff7db655a1d5-000000%40eu-central-1.amazonses.com.