diff options
| author | Andre Cruz <andre.cruz@co.sapo.pt> | 2015-01-07 18:41:29 +0000 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-05-12 10:17:52 -0400 |
| commit | 929684d6ee0efb5afad51dc584489d0437d2451b (patch) | |
| tree | 44714f4502df964790f9db9a4751c843fa49a997 /docs | |
| parent | 4065f429f559533f11abbab40624a61027a52b61 (diff) | |
Fixed #21231 -- Enforced a max size for GET/POST values read into memory.
Thanks Tom Christie for review.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/exceptions.txt | 2 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 49 | ||||
| -rw-r--r-- | docs/releases/1.10.txt | 13 |
3 files changed, 64 insertions, 0 deletions
diff --git a/docs/ref/exceptions.txt b/docs/ref/exceptions.txt index 37424fe7c6..c222010172 100644 --- a/docs/ref/exceptions.txt +++ b/docs/ref/exceptions.txt @@ -61,9 +61,11 @@ Django core exception classes are defined in ``django.core.exceptions``. * ``DisallowedModelAdminToField`` * ``DisallowedRedirect`` * ``InvalidSessionKey`` + * ``RequestDataTooBig`` * ``SuspiciousFileOperation`` * ``SuspiciousMultipartForm`` * ``SuspiciousSession`` + * ``TooManyFieldsSent`` If a ``SuspiciousOperation`` exception reaches the WSGI handler level it is logged at the ``Error`` level and results in diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 7423d7d360..838dde808a 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -880,6 +880,51 @@ This is an Oracle-specific setting. The maximum size that the DATAFILE_TMP is allowed to grow to. +.. setting:: DATA_UPLOAD_MAX_MEMORY_SIZE + +DATA_UPLOAD_MAX_MEMORY_SIZE +--------------------------- + +.. versionadded:: 1.10 + +Default: ``2621440`` (i.e. 2.5 MB). + +The maximum size in bytes that a request body may be before a +:exc:`~django.core.exceptions.SuspiciousOperation` (``RequestDataTooBig``) is +raised. The check is done when accessing ``request.body`` or ``request.POST`` +and is calculated against the total request size excluding any file upload +data. You can set this to ``None`` to disable the check. Applications that are +expected to receive unusually large form posts should tune this setting. + +The amount of request data is correlated to the amount of memory needed to +process the request and populate the GET and POST dictionaries. Large requests +could be used as a denial-of-service attack vector if left unchecked. Since web +servers don't typically perform deep request inspection, it's not possible to +perform a similar check at that level. + +See also :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`. + +.. setting:: DATA_UPLOAD_MAX_NUMBER_FIELDS + +DATA_UPLOAD_MAX_NUMBER_FIELDS +----------------------------- + +.. versionadded:: 1.10 + +Default: ``1000`` + +The maximum number of parameters that may be received via GET or POST before a +:exc:`~django.core.exceptions.SuspiciousOperation` (``TooManyFields``) is +raised. You can set this to ``None`` to disable the check. Applications that +are expected to receive an unusually large number of form fields should tune +this setting. + +The number of request parameters is correlated to the amount of time needed to +process the request and populate the GET and POST dictionaries. Large requests +could be used as a denial-of-service attack vector if left unchecked. Since web +servers don't typically perform deep request inspection, it's not possible to +perform a similar check at that level. + .. setting:: DATABASE_ROUTERS ``DATABASE_ROUTERS`` @@ -1325,6 +1370,8 @@ Default: ``2621440`` (i.e. 2.5 MB). The maximum size (in bytes) that an upload will be before it gets streamed to the file system. See :doc:`/topics/files` for details. +See also :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE`. + .. setting:: FILE_UPLOAD_DIRECTORY_PERMISSIONS ``FILE_UPLOAD_DIRECTORY_PERMISSIONS`` @@ -3258,6 +3305,8 @@ Globalization (``i18n``/``l10n``) HTTP ---- +* :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` +* :setting:`DATA_UPLOAD_MAX_NUMBER_FIELDS` * :setting:`DEFAULT_CHARSET` * :setting:`DEFAULT_CONTENT_TYPE` * :setting:`DISALLOWED_USER_AGENTS` diff --git a/docs/releases/1.10.txt b/docs/releases/1.10.txt index 410180f838..29af587eec 100644 --- a/docs/releases/1.10.txt +++ b/docs/releases/1.10.txt @@ -719,6 +719,19 @@ custom lookup for it. For example:: ``POINT (23.0000000000000000 5.5000000000000000)``, you'll get ``POINT (23 5.5)``. +Maximum size of a request body and the number of GET/POST parameters is limited +------------------------------------------------------------------------------- + +Two new settings help mitigate denial-of-service attacks via large requests: + +* :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` limits the size that a request body + may be. File uploads don't count towards this limit. +* :setting:`DATA_UPLOAD_MAX_NUMBER_FIELDS` limits the number of GET/POST + parameters that are parsed. + +Applications that receive unusually large form posts may need to tune these +settings. + Miscellaneous ------------- |
