diff options
| -rw-r--r-- | docs/ref/settings.txt | 19 | ||||
| -rw-r--r-- | docs/topics/security.txt | 13 |
2 files changed, 24 insertions, 8 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index b0750d3a42..3d0761dfc6 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -1042,14 +1042,19 @@ The maximum size in bytes that a request body may be before a :exc:`~django.core.exceptions.SuspiciousOperation` (``RequestDataTooBig``) is raised. The check is done when accessing ``request.body`` or ``request.POST`` and is calculated against the total request size excluding any file upload -data. You can set this to ``None`` to disable the check. Applications that are -expected to receive unusually large form posts should tune this setting. +data (``request.FILES``). You can set this to ``None`` to disable the check. +Applications that are expected to receive unusually large form posts should +tune this setting. -The amount of request data is correlated to the amount of memory needed to -process the request and populate the GET and POST dictionaries. Large requests -could be used as a denial-of-service attack vector if left unchecked. Since web -servers don't typically perform deep request inspection, it's not possible to -perform a similar check at that level. +Under ASGI, the entire request may be spooled to disk before this limit is +enforced. Therefore, it is strongly recommended to place additional protections +in front of Django which limit the entire request payload. + +The amount of request data is correlated to the amount of memory or storage +needed to process the request and populate the GET and POST dictionaries. +Large requests could be used as a denial-of-service attack vector if left +unchecked. Since web servers don't typically perform deep request inspection, +it's not possible to perform a similar check at that level. See also :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`. diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 2e828db0ab..ea3021c26d 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -253,7 +253,9 @@ User-uploaded content * If your site accepts file uploads, it is strongly advised that you limit these uploads in your web server configuration to a reasonable size in order to prevent denial of service (DOS) attacks. In Apache, this - can be easily set using the LimitRequestBody_ directive. + can be easily set using the LimitRequestBody_ directive. You should not rely + solely on :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` + nor :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`. * If you are serving your own static files, be sure that handlers like Apache's ``mod_php``, which would execute static files as code, are disabled. You @@ -287,6 +289,15 @@ User-uploaded content .. _same-origin policy: https://en.wikipedia.org/wiki/Same-origin_policy +Form Submissions +================ + +* Form submissions containing files are not limited by + :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE`. Under ASGI, the entire request may be + spooled to disk before any file size validation is performed. It is strongly + advised that you limit the maximum request body size in your web server + configuration to prevent denial of service (DOS) attacks. + .. _security-csp: Content Security Policy |