Enforce max_fields and max_part_size in FormParser#3329
Conversation
The limits accepted by `request.form()` were only applied to `multipart/form-data`. Forward them to `FormParser` and enforce them while parsing `application/x-www-form-urlencoded` bodies, matching the `MultiPartParser` defaults (`max_fields=1000`, `max_part_size=1MB`).
|
Docs preview: https://17063e39-starlette.marcelotryle.workers.dev |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ffeda64b56
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| field_count += 1 | ||
| if field_count > self.max_fields: | ||
| raise MultiPartException(f"Too many fields. Maximum number of fields is {self.max_fields}.") |
There was a problem hiding this comment.
Enforce max_fields during parser callbacks
When the URL-encoded body arrives as one ASGI receive chunk (for example via TestClient, some servers, or after request.body() cached it), QuerystringParser.write() invokes all callbacks before this loop drains self.messages. A request with far more than max_fields tiny fields is therefore fully tokenized and buffered in self.messages before this field_count check can raise, so the new security limit does not bound CPU/memory in that common chunking scenario. Count and reject in the callback path (or otherwise process messages while write() is running) so parsing stops as soon as the limit is crossed.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
I should really enforce this in python-multipart.
request.form()acceptsmax_fieldsandmax_part_size, but these were only forwarded toMultiPartParser. Forapplication/x-www-form-urlencodedbodies,FormParserwas constructed without them and had no field-count or field-size checks, so the limits had no effect.This forwards both limits to
FormParserand enforces them while parsing, raisingMultiPartException(returned as400inside an app) when a body exceeds them. Defaults matchMultiPartParser:max_fields=1000,max_part_size=1MB.AI Disclaimer
This PR was developed with the assistance of either Claude or Codex. I've reviewed and verified the changes.