django http://cgit.adnoto.dev/django.git/atom?h=stable%2F5.2.x 2026-04-07T11:34:17Z 2026-04-07T11:34:17Z Natalia 124304+nessita@users.noreply.github.com 2026-03-11T13:26:18Z urn:sha1:49e1e2b548999a35a025f9682598946bda9e9921 The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews. Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main. 2026-04-07T11:33:47Z Natalia 124304+nessita@users.noreply.github.com 2026-03-05T17:41:44Z urn:sha1:0b467893bdde69a2d23034338e76021a1e4f4322 When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch. Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main. 2026-04-07T11:33:08Z Jacob Walls jacobtylerwalls@gmail.com 2026-03-16T22:05:22Z urn:sha1:397c22048244db2cd4bb78f570e6c72a3967bf36 Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main. 2026-04-07T11:32:35Z Jacob Walls jacobtylerwalls@gmail.com 2026-03-12T15:00:05Z urn:sha1:60ffa957c427e10a2eb0fc80d1674a8a8ccc30b0 Edit permissions were still checked as part of ordinary form validation, but because GenericInlineModelAdmin overrides get_formset(), it lacked InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic for checking permissions server-side, leaving the add case unaddressed. This change reimplements the relevant part of InlineModelAdmin.get_formset(). Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart, Markus Holtermann, and Simon Charette for reviews. Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main. 2026-04-07T11:32:02Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-22T22:01:46Z urn:sha1:1cc2a7612f97c109b92415fc11ba9bd0501852e0 Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews. Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main. 2026-03-31T16:29:16Z Jacob Walls jacobtylerwalls@gmail.com 2026-03-27T20:13:25Z urn:sha1:2a8a76a002774e3f6bc10188594593e0104ceb66 Backport of dff1980d61b1129c82757f70117dcea68e69a8c8 from main.