[6.0.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.

When a multipart file part used `Content-Transfer-Encoding: base64` and
the non-whitespace base64 bytes did not align to a multiple of 4 within
a chunk, the parser entered a loop calling `field_stream.read(1-3)` once
per whitespace byte. Each such call fetched the entire internal buffer,
sliced off 1-3 bytes, and pushed the remainder back via unget(), doing
an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace
produced CPU amplification relative to a normal upload of the same size.

The alignment loop now reads `self._chunk_size` bytes at a time, and
accumulates stripped parts in a list joined once at the end.

Thanks to Seokchan Yoon for the report and the fixing patch.

Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main.

0 files changed, 0 insertions, 0 deletions