diff options
| author | Adrian Moennich <adrian@planetcoding.net> | 2023-05-05 12:32:29 +0200 |
|---|---|---|
| committer | Adrian Moennich <adrian@planetcoding.net> | 2023-05-05 12:34:20 +0200 |
| commit | 4321c5b0c940e42c50d2abd1edd4318f0727d1be (patch) | |
| tree | 5eabd0399308ecb83b2b8a6d390dc1be63fdcd23 | |
| parent | 3a4c8d0844bddfb4b3a3989bd1bc573ed55fea18 (diff) | |
| download | werkzeug-4321c5b0c940e42c50d2abd1edd4318f0727d1be.tar.gz | |
Do not apply max_form_parts to non-multipart data
| -rw-r--r-- | CHANGES.rst | 2 | ||||
| -rw-r--r-- | src/werkzeug/formparser.py | 9 | ||||
| -rw-r--r-- | tests/test_formparser.py | 4 |
3 files changed, 8 insertions, 7 deletions
diff --git a/CHANGES.rst b/CHANGES.rst index fa8d36a8..86e9d113 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -8,6 +8,8 @@ Unreleased - ``Authorization.from_header`` and ``WWWAuthenticate.from_header`` detects tokens that end with base64 padding (``=``). :issue:`2685` - Remove usage of ``warnings.catch_warnings``. :issue:`2690` +- Remove ``max_form_parts`` restriction from standard form data parsing and only use + if for multipart content. :pr:`2694` Version 2.3.3 diff --git a/src/werkzeug/formparser.py b/src/werkzeug/formparser.py index 074ac542..99937e43 100644 --- a/src/werkzeug/formparser.py +++ b/src/werkzeug/formparser.py @@ -105,8 +105,8 @@ def parse_form_data( :param cls: an optional dict class to use. If this is not specified or `None` the default :class:`MultiDict` is used. :param silent: If set to False parsing errors will not be caught. - :param max_form_parts: The maximum number of parts to be parsed. If this is - exceeded, a :exc:`~exceptions.RequestEntityTooLarge` exception is raised. + :param max_form_parts: The maximum number of multipart parts to be parsed. If this + is exceeded, a :exc:`~exceptions.RequestEntityTooLarge` exception is raised. :return: A tuple in the form ``(stream, form, files)``. .. versionchanged:: 2.3 @@ -157,8 +157,8 @@ class FormDataParser: :param cls: an optional dict class to use. If this is not specified or `None` the default :class:`MultiDict` is used. :param silent: If set to False parsing errors will not be caught. - :param max_form_parts: The maximum number of parts to be parsed. If this is - exceeded, a :exc:`~exceptions.RequestEntityTooLarge` exception is raised. + :param max_form_parts: The maximum number of multipart parts to be parsed. If this + is exceeded, a :exc:`~exceptions.RequestEntityTooLarge` exception is raised. .. versionchanged:: 2.3 The ``charset`` and ``errors`` parameters are deprecated and will be removed in @@ -378,7 +378,6 @@ class FormDataParser: keep_blank_values=True, encoding=self.charset, errors="werkzeug.url_quote", - max_num_fields=self.max_form_parts, ) except ValueError as e: raise RequestEntityTooLarge() from e diff --git a/tests/test_formparser.py b/tests/test_formparser.py index f9b44d7c..1dcb167e 100644 --- a/tests/test_formparser.py +++ b/tests/test_formparser.py @@ -126,8 +126,8 @@ class TestFormParser: r = Request.from_values(method="POST", data={"a": 1, "b": 2}) r.max_form_parts = 1 - with pytest.raises(RequestEntityTooLarge): - r.form + assert r.form["a"] == "1" + assert r.form["b"] == "2" def test_missing_multipart_boundary(self): data = ( |