summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorJacob Walls <jacobtylerwalls@gmail.com>2026-03-24 15:53:27 -0400
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2026-05-05 14:33:27 +0200
commit5a89e341bfc77dd67b7fd57b7091b6430558e1f4 (patch)
treeeda11f2a0d23e74eb8ff6111a44ee2c0d19990fa /scripts
parentd75d57c2c06934a65feabd206129b9d1a230a1da (diff)
Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in MemoryFileUploadHandler on ASGI.
In ASGI deployments, Content-Length is not guaranteed to reflect the actual request body size, so relying on it to gate memory allocation allowed the limit to be bypassed. The handler now enforces DATA_UPLOAD_MAX_MEMORY_SIZE regardless of the declared header value. Thanks to Kyle Agronick for the report. Refs #35289. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions