id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
10819	Do not limit input data in multipartparser by content-length (in parse())	astaley@…	nobody	"Currently, Django's multipart parser attempts to constrain  the input stream by the content_length provided in the input request.

This is incorrect behavior;  Content-Length only represents the post-processed message body and should NOT be used at this level (where unknown processing may have been done by middleware or apache sites).  See RFC 2616 Section 14.13 for more detail: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

A specific example of where this errors is when the client submits gzip'd requests.  mod_deflate will uncompress it, but it (correctly) does not change content_length; consequently, the multipart parser truncates the decompressed data.  See http://httpd.apache.org/docs/2.0/mod/mod_deflate.html  for more detail (If you evaluate the request body yourself, don't trust the Content-Length header!  The Content-Length header reflects the length of the incoming data from the client and not the byte count of the decompressed data stream.)

See http://issues.apache.org/jira/browse/XMLRPC-153 for a good discussion on this."		closed	HTTP handling	1.0		wontfix			Unreviewed	0	0	0	0	0	0