[6.0.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ASGI requests.

The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.

This work adds a new check on the actual number of bytes consumed.

Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.

Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main.

0 files changed, 0 insertions, 0 deletions