-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: net/http: maximum size and number of parts in ParseMultipartForm #68889
Comments
Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.) |
I believe the expectation is to wrap the handler in MaxBytesHandler |
It helps us if you have a specific proposal. Thanks. |
I've done my best (edited). |
CC @neild |
Currently package I propose to add a public field MaxMIMEHeaderSize to multipart.Reader. To use this new field, one would call request.MultipartReader() method in |
If the field is set, it is used instead of maxMIMEHeaderSize constant, allowing to further constraint memory usage when parsing multipart streams. Fix golang#68889
If the field is set, it is used instead of maxMIMEHeaderSize constant, allowing to further constraint memory usage when parsing multipart streams. Fixes golang#68889
Change https://go.dev/cl/637915 mentions this issue: |
Proposal Details
Please provide a way to limit the maximum size and number of parts when using
http.ParseMultipartForm
.http.ParseMultipartForm
is handy when the application knows that the files being uploaded are small; in that case, one does not need to go through the hassle ofhttp.MultipartReader
. However, there appears to be no way to causehttp.ParseMultipartForm
to reject the upload if the parts are larger than a given size (say, a megabyte), and no way to reject posts with more than a given number of parts (say, 10).I propose the addition of the following function (name to be reconsidered):
This is just like
ParseMultipartForm
, except that:maxPartSize
is strictly larger than 0, then any of the parts is larger thanmaxPartSize
bytes, the function returnshttp.ErrMessageTooLarge
;maxParts
is strictly larger than 0, then if there are more thanmaxParts
parts the function returnshttp.ErrMessageTooLarge
.If the function returns
http.ErrMesageTooLarge
, then the body of the request has been closed.The text was updated successfully, but these errors were encountered: