Hello. If your application receives file uploads, and thus you have your frontend server configured to allow request bodies >= 10MB for example, you should pay attention to ticket #21231 (https://code.djangoproject.com/ticket/21231). Django enforces size limits on FILE parts, but does not do the same with FIELD parts, be it in multipart requests or form-data.
This means that an attacker can DoS your server by sending requests with large FIELD parts for Django to parse. This is easy to do. According to the ticket a simple 10MB field can take up 350MB of RAM and make the Django worker spin for 30s. If your application server supports memory usage monitoring for its workers, it can help defusing this issue, but does not solve it. Best regards, André Cruz -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/3f759b4c-cf2d-4b04-8499-9c32597e6b1e%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
