Do not limit input data in multipartparser by content-length (in parse())
|Reported by:||astaley@…||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Currently, Django's multipart parser attempts to constrain the input stream by the content_length provided in the input request.
This is incorrect behavior; Content-Length only represents the post-processed message body and should NOT be used at this level (where unknown processing may have been done by middleware or apache sites). See RFC 2616 Section 14.13 for more detail: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
A specific example of where this errors is when the client submits gzip'd requests. mod_deflate will uncompress it, but it (correctly) does not change content_length; consequently, the multipart parser truncates the decompressed data. See http://httpd.apache.org/docs/2.0/mod/mod_deflate.html for more detail (If you evaluate the request body yourself, don't trust the Content-Length header! The Content-Length header reflects the length of the incoming data from the client and not the byte count of the decompressed data stream.)
See http://issues.apache.org/jira/browse/XMLRPC-153 for a good discussion on this.