The wording in the docs about the max_content_length property indicates that it applies for all usages of the request, including when accessing the raw request data.
Special note on the get_data method: Calling this loads the full request data into memory. This is only safe to do if the max_content_length is set.
[...]
To avoid being the victim of a DDOS attack you can set the maximum accepted content length and request field sizes. The BaseRequest class has two attributes for that: max_content_length and max_form_memory_size.
The first one can be used to limit the total content length. For example by setting it to 1024 * 1024 * 16 the request won’t accept more than 16MB of transmitted data.
[...]
However in Werkzeug 0.9+ it actually only applies when form data is parsed (and that's the only case covered by tests). The length is not enforced when .get_data() is called.
Failing test case:
def test_content_length_limiting():
data = b'Hello World'
req = wrappers.Request.from_values(input_stream=BytesIO(data),
content_length=len(data), method='POST')
req.max_content_length = 400
strict_eq(req.get_data(), data)
req = wrappers.Request.from_values(input_stream=BytesIO(data),
content_length=len(data), method='POST')
req.max_content_length = 4
pytest.raises(RequestEntityTooLarge, lambda: req.get_data())
The wording in the docs about the
max_content_lengthproperty indicates that it applies for all usages of the request, including when accessing the raw request data.However in Werkzeug 0.9+ it actually only applies when form data is parsed (and that's the only case covered by tests). The length is not enforced when .get_data() is called.
Failing test case: