Skip to content

Enforce max_fields and max_part_size in FormParser#3329

Merged
Kludex merged 1 commit into
mainfrom
enforce-form-limits-urlencoded
Jun 12, 2026
Merged

Enforce max_fields and max_part_size in FormParser#3329
Kludex merged 1 commit into
mainfrom
enforce-form-limits-urlencoded

Conversation

@Kludex

@Kludex Kludex commented Jun 12, 2026

Copy link
Copy Markdown
Owner

request.form() accepts max_fields and max_part_size, but these were only forwarded to MultiPartParser. For application/x-www-form-urlencoded bodies, FormParser was constructed without them and had no field-count or field-size checks, so the limits had no effect.

This forwards both limits to FormParser and enforces them while parsing, raising MultiPartException (returned as 400 inside an app) when a body exceeds them. Defaults match MultiPartParser: max_fields=1000, max_part_size=1MB.

AI Disclaimer

This PR was developed with the assistance of either Claude or Codex. I've reviewed and verified the changes.

Review in cubic

The limits accepted by `request.form()` were only applied to `multipart/form-data`. Forward them to `FormParser` and enforce them while parsing `application/x-www-form-urlencoded` bodies, matching the `MultiPartParser` defaults (`max_fields=1000`, `max_part_size=1MB`).
@github-actions

Copy link
Copy Markdown
Contributor

@Kludex Kludex merged commit dba1c4b into main Jun 12, 2026
13 checks passed
@Kludex Kludex deleted the enforce-form-limits-urlencoded branch June 12, 2026 09:03

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ffeda64b56

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread starlette/formparsers.py
Comment on lines +132 to +134
field_count += 1
if field_count > self.max_fields:
raise MultiPartException(f"Too many fields. Maximum number of fields is {self.max_fields}.")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Enforce max_fields during parser callbacks

When the URL-encoded body arrives as one ASGI receive chunk (for example via TestClient, some servers, or after request.body() cached it), QuerystringParser.write() invokes all callbacks before this loop drains self.messages. A request with far more than max_fields tiny fields is therefore fully tokenized and buffered in self.messages before this field_count check can raise, so the new security limit does not bound CPU/memory in that common chunking scenario. Count and reject in the callback path (or otherwise process messages while write() is running) so parsing stops as soon as the limit is crossed.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I guess.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should really enforce this in python-multipart.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant