Opened 10 months ago
Last modified 10 months ago
#34968 closed Cleanup/optimization
MultiPartParser silent large header fields size failures — at Version 2
| Reported by: | Standa Opichal | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | 4.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
The MultiPartParser silently ignores parts of which the http header fields exceed 1024 bytes. This causes file uploads to 'ignore' the attached file without receiving any type of error or exception.
This is caused by the 1024 value being hardcoded here https://github.com/django/django/blob/main/django/http/multipartparser.py#L743
Here is a common http header fields limits across popular web servers (from https://stackoverflow.com/a/60623751/2448773):
- Apache - 8K
- Nginx - 4K-8K
- IIS - 8K-16K
- Tomcat - 8K – 48K
- Node (<13) - 8K; (>13) - 16K
Also reported at https://stackoverflow.com/questions/70572148/django-silently-discarding-uploaded-files-with-long-paths
Change History (2)
comment:1 by , 10 months ago
| Description: | modified (diff) |
|---|
comment:2 by , 10 months ago
| Description: | modified (diff) |
|---|
Note:
See TracTickets
for help on using tickets.