- increase limit to 1024 to account for large ZMI forms

zopefoundation · Feb 18, 2025 · 4f01f26 · 4f01f26
1 parent 456bb6e
commit 4f01f26
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 6 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -11,7 +11,8 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 -------------------
 
 - Add configuration switch for the maximum allowed number of form fields.
-  ``multipart`` version 1.2.1 introduced a default value of 128.
+  ``multipart`` version 1.2.1 introduced a default value of 128, Zope now
+  sets it to 1024.
 
 - Update to newest compatible versions of dependencies.
 

diff --git a/src/ZPublisher/HTTPRequest.py b/src/ZPublisher/HTTPRequest.py
@@ -55,7 +55,7 @@
 
 # DOS attack protection -- limiting the amount of memory for forms
 # probably should become configurable
-FORM_PART_LIMIT = 2 ** 7      # limit for individual form parts
+FORM_PART_LIMIT = 2 ** 10     # limit for individual form parts
 FORM_MEMORY_LIMIT = 2 ** 20   # memory limit for forms
 FORM_DISK_LIMIT = 2 ** 30     # disk limit for forms
 FORM_MEMFILE_LIMIT = 2 ** 12  # limit for `BytesIO` -> temporary file switch

diff --git a/src/Zope2/Startup/tests/test_schema.py b/src/Zope2/Startup/tests/test_schema.py
@@ -225,12 +225,15 @@ def test_dos_protection(self):
                   form-memory-limit 1KB
                   form-disk-limit 1KB
                   form-memfile-limit 1KB
-                  form-part-limit 1024
+                  form-part-limit 2048
                 </dos_protection>
                 """)
             handleWSGIConfig(None, handler)
             for name in params:
-                self.assertEqual(getattr(HTTPRequest, name), 1024)
+                if name == 'FORM_PART_LIMIT':
+                    self.assertEqual(getattr(HTTPRequest, name), 2048)
+                else:
+                    self.assertEqual(getattr(HTTPRequest, name), 1024)
         finally:
             for name in params:
                 setattr(HTTPRequest, name, defaults[name])
diff --git a/src/Zope2/Startup/wsgischema.xml b/src/Zope2/Startup/wsgischema.xml
@@ -144,7 +144,7 @@
       </description>
     </key>
 
-    <key name="form-part-limit" datatype="integer" default="128">
+    <key name="form-part-limit" datatype="integer" default="1024">
       <description>
         Limits the maximum number of parameters or form fields. Larger
         forms are blocked by the underlying field parser.

diff --git a/src/Zope2/utilities/skel/etc/zope.conf.in b/src/Zope2/utilities/skel/etc/zope.conf.in
@@ -284,6 +284,6 @@ instancehome $INSTANCE
 #    The maximum number of form parameters / fields in a request.
 #    Larger forms are blocked by the underlying field parser.
 # Example:
-#    form-part-limit 128
+#    form-part-limit 1024
 
 </dos_protection>