(I discussed this issue before with Florian Apolloner in
[email protected], and we decided to open a thread here).
Consider simple view:
class MyView(View):
def patch(self, request, *args, **kwargs):
request.read()
return HttpResponse('test')
Next, consider request:
curl -X PATCH http://localhost:8000/my-view/ -H 'Content-Length: 4' --data
"test"
It will return 'test', as expected.
But, with the next request,
curl -X PATCH http://localhost:8000/my-view/ <http://localhost:8000/mine/>
-H 'Content-Length: 5' --data "test"
when Content-Length is greater that actual data, it will stuck at
https://github.com/django/django/blob/5bc3123479bd97dc9d8a36fa9a3421
a71063d1da/django/core/handlers/wsgi.py#L41
`stream.read()` is calling method from python's stdlib socket -
`socket.read()`.
And inside it is stucking at `data = self._sock.recv(left)`.
For example, django-rest-framework is calling `request.read()` in it's
parsers,
and this lib is popular, so every POST or PATCH request may cause this
issue.
Without proper frontend server configuration, server may become vulnerable
to some DoS-attacks.
This can be resolved with setting some timeout -
https://gist.github.com/coldmind/a45879b0e4941336b24e.
But, I'm not sure that this is the right way to resolve it.
At least, this issue should be documented, but I believe that there is a
way to resolve it in code,
without hoping that frontend server will deal with it.
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/e8618337-9084-48ca-9bbe-b99b10753271%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
