ExceptionReporter.get_traceback_data() does not handle when request.GET data exceeds DATA_UPLOAD_MAX_NUMBER_FIELDS

[Pēteris Caune]

When the number of query parameters in URL exceeds settings.DATA_UPLOAD_MAX_NUMBER_FIELDS, Django takes more than a second to generate the error page and eventually returns HTTP 500 with a blank page. The "manage.py runserver" output shows a long chain of exceptions, delimited with "The above exception was the direct cause of the following exception:" line.

To reproduce: start a new Django project, and place the following in urls.py:

from django.http import HttpResponse
from django.urls import path


def index(request):
    request.GET.getlist("a")
    url = "/?" + "&".join([f"a={i}" for i in range(0, 1001)])
    return HttpResponse(f"""<a href="{url}">Click me</a>""", content_type="text/html")


urlpatterns = [
    path("", index),
]

The problem is only triggered if

• DEBUG=True (otherwise, Django generates a HTTP 400 response with no delay)
• If the view accesses request.GET

[Sarah Boyce]

Thank you!

Here's a rough test

tests/view_tests/tests/test_debug.py

@@ -461 +461 @@
             response = self.client.get("/raises500/", headers={"accept": "text/plain"})
         self.assertContains(response, "Oh dear, an error occurred!", status_code=500)
 
+    @override_settings(DATA_UPLOAD_MAX_NUMBER_FIELDS=1)
+    def test_max_number_of_fields_exceeded(self):
+        with self.assertLogs("django.security", "WARNING"):
+            response = self.client.get("", query_params={"a": [1, 2]})
+        self.assertContains(response, '<div class="context" id="', status_code=400)
+
 
 class DebugViewQueriesAllowedTests(SimpleTestCase):
     # May need a query to initialize MySQL connection

tests/view_tests/views.py

@@ -22 +22 @@
 
 def index_page(request):
     """Dummy index page"""
+    request.GET.getlist("a")
     return HttpResponse("<html><body>Dummy page</body></html>")
 

[Mohammad Salehi]

Hello, I would like to work on this issue if you’re okay with it?

[Mohammad Salehi]

Hello,

I have worked on this issue and tested some possible solutions. These are the results:

1_ Adding a flag in QueryDict class:
This does not work because QueryDict is recreated with each request so the flag state is not kept requests.

2_ Changing return value of GET and POST methods in WSGIRequest class:
Changing how GET and POST methods return values will only stop the TooManyFieldsSent error from showing. This will make GET and POST methods not work at all. Request processing will not work correctly and important data will be lost. This approach only hides the error message and does not fix the real problem with handling data.

3_ Removing all GET data:
If we set request.GET to an empt dict in foo method, it shows the error and the problem got fixed but it doesn't make sense to alter GET data.

[Mohammad Salehi]

We are encountering a very specific and complex error in the lower layers of the framework. Currently, we use request.GET to retrieve GET parameters. However, if request.GET encounters an error for any reason, how can the higher layers of the framework access these values and display the necessary information on the error page?

which this issue's scenario has exactly the very same problem.

What is your opinion on this?