File uploads - a warning

[André Cruz]

Hello.

If your application receives file uploads, and thus you have your frontend server configured to allow request bodies >= 10MB for example, you should pay attention to ticket #21231 (https://code.djangoproject.com/ticket/21231). Django enforces size limits on FILE parts, but does not do the same with FIELD parts, be it in multipart requests or form-data.

This means that an attacker can DoS your server by sending requests with large FIELD parts for Django to parse. This is easy to do. According to the ticket a simple 10MB field can take up 350MB of RAM and make the Django worker spin for 30s.

If your application server supports memory usage monitoring for its workers, it can help defusing this issue, but does not solve it.

Best regards,

André Cruz