id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
21231	Limiting the number of variables and files that a POST request can contain	epandurski@…	Tim Graham <timograham@…>	"== The Problem ==

When deploying a django application one should be able to asses what
will be *the absolute maximum* of memory consumed by each serving
process/thread. Failing to make this assessment correctly may leave the
application open to denial-of-service attacks. For example, when
deploying with apache, an excessive number of threads should be
available in order protect yourself from slowloris-type attacks. Also,
in order to limit the maximum memory and CPU usage under attack
""LimitRequestBody"" should be set to a reasonably small value (1MB for
example). So, here are the naive math: //""100 parallel requests""// X //""1MB
per request""// = //""100MB maximum memory consumed""//

The problem is that the naive math is wrong. A single 1MB POST request
may require *much* more that 1MB to process. 1MB of
""application/x-www-form-urlencoded"" type may contain 200,000 short
name-value pairs, which when fetched into the interpreter consume tens of
megabytes (depending on the platform, probably 10-50MB). So the
correct math would be: //""100 parallel requests""// X //""50MB per request""// =
//""5000MB maximum memory consumed""//. Probably too much for many systems.

As far as I know, django does not offer an easy way to protect against
such edge cases (lots of simultaneous malicious POST request that consume 
unexpected amounts of memory).

== The proposal ==

Introduce two new settings, limiting the maximum number of entities in
a POST request:

**FORM_DATA_URLENCODED_MAX_VARS**: the maximum number of name-value
pairs in the case of ""application/x-www-form-urlencoded"". (no limit by
default)

**FORM_DATA_MULTIPART_MAX_PARTS**: the maximum number of parts in the 
case of ""multipart/form-data"". (no limit by default)

In case those limits are exceeded, the request must be discarded
without being fetched/parsed into memory. (In our example, it would 
consume only 1MB instead of 50.)
"	New feature	closed	HTTP handling	dev	Normal	fixed		andre.cruz@… Florian Apolloner	Ready for checkin	1	0	0	0	0	0