Opened 13 months ago

Last modified 12 months ago

#34968 closed Cleanup/optimization

MultiPartParser silent large header fields size failures — at Version 1

Reported by: Standa Opichal Owned by: nobody
Component: HTTP handling Version: 4.2
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Standa Opichal)

The MultiPartParser silently ignores parts of which the http header fields exceed 1024 bytes.

This is caused by the 1024 value being hardcoded here https://github.com/django/django/blob/main/django/http/multipartparser.py#L743

Here is a common http header fields limits across popular web servers (from https://stackoverflow.com/a/60623751/2448773):

  • Apache - 8K
  • Nginx - 4K-8K
  • IIS - 8K-16K
  • Tomcat - 8K – 48K
  • Node (<13) - 8K; (>13) - 16K

Also reported at https://stackoverflow.com/questions/70572148/django-silently-discarding-uploaded-files-with-long-paths

Change History (1)

comment:1 by Standa Opichal, 13 months ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top