diff options
| author | Jake Howard <git@theorangeone.net> | 2026-04-01 15:47:30 +0100 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-04-07 10:33:38 -0400 |
| commit | 1c584b0b1edd1def1e9aa4aef25fc5754f485616 (patch) | |
| tree | 53fd6c2f86cc16f9fd15f981a4d9a4836a4d576b /docs | |
| parent | 3330dc2dd97f60ab32d3c912d2649859d063265c (diff) | |
Refs CVE-2026-33034 -- Improved security documentation on handling large request bodies.
Notably that the limit can be bypassed under ASGI.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/settings.txt | 19 | ||||
| -rw-r--r-- | docs/topics/security.txt | 13 |
2 files changed, 24 insertions, 8 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 320ec7f83e..cca7b18f24 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -1037,14 +1037,19 @@ The maximum size in bytes that a request body may be before a :exc:`~django.core.exceptions.SuspiciousOperation` (``RequestDataTooBig``) is raised. The check is done when accessing ``request.body`` or ``request.POST`` and is calculated against the total request size excluding any file upload -data. You can set this to ``None`` to disable the check. Applications that are -expected to receive unusually large form posts should tune this setting. +data (``request.FILES``). You can set this to ``None`` to disable the check. +Applications that are expected to receive unusually large form posts should +tune this setting. -The amount of request data is correlated to the amount of memory needed to -process the request and populate the GET and POST dictionaries. Large requests -could be used as a denial-of-service attack vector if left unchecked. Since web -servers don't typically perform deep request inspection, it's not possible to -perform a similar check at that level. +Under ASGI, the entire request may be spooled to disk before this limit is +enforced. Therefore, it is strongly recommended to place additional protections +in front of Django which limit the entire request payload. + +The amount of request data is correlated to the amount of memory or storage +needed to process the request and populate the GET and POST dictionaries. +Large requests could be used as a denial-of-service attack vector if left +unchecked. Since web servers don't typically perform deep request inspection, +it's not possible to perform a similar check at that level. See also :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`. diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 2e828db0ab..ea3021c26d 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -253,7 +253,9 @@ User-uploaded content * If your site accepts file uploads, it is strongly advised that you limit these uploads in your web server configuration to a reasonable size in order to prevent denial of service (DOS) attacks. In Apache, this - can be easily set using the LimitRequestBody_ directive. + can be easily set using the LimitRequestBody_ directive. You should not rely + solely on :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` + nor :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`. * If you are serving your own static files, be sure that handlers like Apache's ``mod_php``, which would execute static files as code, are disabled. You @@ -287,6 +289,15 @@ User-uploaded content .. _same-origin policy: https://en.wikipedia.org/wiki/Same-origin_policy +Form Submissions +================ + +* Form submissions containing files are not limited by + :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE`. Under ASGI, the entire request may be + spooled to disk before any file size validation is performed. It is strongly + advised that you limit the maximum request body size in your web server + configuration to prevent denial of service (DOS) attacks. + .. _security-csp: Content Security Policy |