Fixed #20347 -- Allowed customizing the maximum number of instantiated forms in formsets.

Co-authored-by: ethurgood <ethurgood@gmail.com>

1 files changed, 10 insertions, 5 deletions

diff --git a/django/forms/formsets.py b/django/forms/formsets.py
index 2b013dcafb..6f819bd696 100644
--- a/django/forms/formsets.py
+++ b/django/forms/formsets.py
@@ -433,16 +433,21 @@ class BaseFormSet:
 
 def formset_factory(form, formset=BaseFormSet, extra=1, can_order=False,
                     can_delete=False, max_num=None, validate_max=False,
-                    min_num=None, validate_min=False):
+                    min_num=None, validate_min=False, absolute_max=None):
     """Return a FormSet for the given form class."""
     if min_num is None:
         min_num = DEFAULT_MIN_NUM
     if max_num is None:
         max_num = DEFAULT_MAX_NUM
-    # hard limit on forms instantiated, to prevent memory-exhaustion attacks
-    # limit is simply max_num + DEFAULT_MAX_NUM (which is 2*DEFAULT_MAX_NUM
-    # if max_num is None in the first place)
-    absolute_max = max_num + DEFAULT_MAX_NUM
+    # absolute_max is a hard limit on forms instantiated, to prevent
+    # memory-exhaustion attacks. Default to max_num + DEFAULT_MAX_NUM
+    # (which is 2 * DEFAULT_MAX_NUM if max_num is None in the first place).
+    if absolute_max is None:
+        absolute_max = max_num + DEFAULT_MAX_NUM
+    if max_num > absolute_max:
+        raise ValueError(
+            "'absolute_max' must be greater or equal to 'max_num'."
+        )
     attrs = {
         'form': form,
         'extra': extra,