You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Request class, in src/quart/wrappers/request.py, has a max_content_length property which is writable: calling code can set it to None, which should remove any limit on the size of the request body. But the Body class checks expected_content_length against max_content_length in its __init__ function, and the value of max_content_length there is always the global default from app.config, because the body object is constructed before application code has a chance to set a different limit on the request. This means that if clients provide Content-Length headers on their uploads, the only way for the application to allow large uploads is by setting app.config["MAX_CONTENT_LENGTH"] = None for the entire application, rather than just for the route that expects the large uploads.
(Strictly speaking it's not the only way, since the application could also do request.body._must_raise = None before reading from the request body within a handler method, but that's a brittle workaround at best. Applications shouldn't have to touch private fields like that.)
Instead, the size should be checked only when the application starts to actually consume the request body, so that the application has a chance to modify max_content_length before doing that. An application should be able to implement a route like this:
…and have this route allow uploads of unlimited size, while other routes are still subject to the limit from app.config["MAX_CONTENT_LENGTH"].
However, this depends on fixing #152, so that Quart doesn't actually start reading the request body until the application starts to consume it. Currently, Quart begins reading the body into memory immediately, so the size limit has to be enforced immediately. There are size checks in both Body.__init__ and Body.append, both of which can run before the application starts to consume the body. The changes for #152 would involve removing the Body.append method and changing Body.__anext__ and Body.__await__ to read directly from the client instead of returning already-buffered input, so the size checks could be done in those places instead.
The text was updated successfully, but these errors were encountered:
The
Requestclass, insrc/quart/wrappers/request.py, has amax_content_lengthproperty which is writable: calling code can set it toNone, which should remove any limit on the size of the request body. But theBodyclass checksexpected_content_lengthagainstmax_content_lengthin its__init__function, and the value ofmax_content_lengththere is always the global default fromapp.config, because the body object is constructed before application code has a chance to set a different limit on the request. This means that if clients provideContent-Lengthheaders on their uploads, the only way for the application to allow large uploads is by settingapp.config["MAX_CONTENT_LENGTH"] = Nonefor the entire application, rather than just for the route that expects the large uploads.(Strictly speaking it's not the only way, since the application could also do
request.body._must_raise = Nonebefore reading from the request body within a handler method, but that's a brittle workaround at best. Applications shouldn't have to touch private fields like that.)Instead, the size should be checked only when the application starts to actually consume the request body, so that the application has a chance to modify
max_content_lengthbefore doing that. An application should be able to implement a route like this:…and have this route allow uploads of unlimited size, while other routes are still subject to the limit from
app.config["MAX_CONTENT_LENGTH"].However, this depends on fixing #152, so that Quart doesn't actually start reading the request body until the application starts to consume it. Currently, Quart begins reading the body into memory immediately, so the size limit has to be enforced immediately. There are size checks in both
Body.__init__andBody.append, both of which can run before the application starts to consume the body. The changes for #152 would involve removing theBody.appendmethod and changingBody.__anext__andBody.__await__to read directly from the client instead of returning already-buffered input, so the size checks could be done in those places instead.The text was updated successfully, but these errors were encountered: