From 4f01f268394f89ab9a7f30866b5d75a7755f8cc4 Mon Sep 17 00:00:00 2001
From: Jens Vagelpohl <jens@plyp.com>
Date: Tue, 18 Feb 2025 07:10:14 +0100
Subject: [PATCH] - increase limit to 1024 to account for large ZMI forms

---
 CHANGES.rst                               | 3 ++-
 src/ZPublisher/HTTPRequest.py             | 2 +-
 src/Zope2/Startup/tests/test_schema.py    | 7 +++++--
 src/Zope2/Startup/wsgischema.xml          | 2 +-
 src/Zope2/utilities/skel/etc/zope.conf.in | 2 +-
 5 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 335d5b1a24..6a16dc3d54 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -11,7 +11,8 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 -------------------
 
 - Add configuration switch for the maximum allowed number of form fields.
-  ``multipart`` version 1.2.1 introduced a default value of 128.
+  ``multipart`` version 1.2.1 introduced a default value of 128, Zope now
+  sets it to 1024.
 
 - Update to newest compatible versions of dependencies.
 
diff --git a/src/ZPublisher/HTTPRequest.py b/src/ZPublisher/HTTPRequest.py
index 1dfd96b12a..68ab5655e3 100644
--- a/src/ZPublisher/HTTPRequest.py
+++ b/src/ZPublisher/HTTPRequest.py
@@ -55,7 +55,7 @@
 
 # DOS attack protection -- limiting the amount of memory for forms
 # probably should become configurable
-FORM_PART_LIMIT = 2 ** 7      # limit for individual form parts
+FORM_PART_LIMIT = 2 ** 10     # limit for individual form parts
 FORM_MEMORY_LIMIT = 2 ** 20   # memory limit for forms
 FORM_DISK_LIMIT = 2 ** 30     # disk limit for forms
 FORM_MEMFILE_LIMIT = 2 ** 12  # limit for `BytesIO` -> temporary file switch
diff --git a/src/Zope2/Startup/tests/test_schema.py b/src/Zope2/Startup/tests/test_schema.py
index 691c9838ce..a05cf9c953 100644
--- a/src/Zope2/Startup/tests/test_schema.py
+++ b/src/Zope2/Startup/tests/test_schema.py
@@ -225,12 +225,15 @@ def test_dos_protection(self):
                   form-memory-limit 1KB
                   form-disk-limit 1KB
                   form-memfile-limit 1KB
-                  form-part-limit 1024
+                  form-part-limit 2048
                 </dos_protection>
                 """)
             handleWSGIConfig(None, handler)
             for name in params:
-                self.assertEqual(getattr(HTTPRequest, name), 1024)
+                if name == 'FORM_PART_LIMIT':
+                    self.assertEqual(getattr(HTTPRequest, name), 2048)
+                else:
+                    self.assertEqual(getattr(HTTPRequest, name), 1024)
         finally:
             for name in params:
                 setattr(HTTPRequest, name, defaults[name])
diff --git a/src/Zope2/Startup/wsgischema.xml b/src/Zope2/Startup/wsgischema.xml
index b91e83f586..e419198307 100644
--- a/src/Zope2/Startup/wsgischema.xml
+++ b/src/Zope2/Startup/wsgischema.xml
@@ -144,7 +144,7 @@
       </description>
     </key>
 
-    <key name="form-part-limit" datatype="integer" default="128">
+    <key name="form-part-limit" datatype="integer" default="1024">
       <description>
         Limits the maximum number of parameters or form fields. Larger
         forms are blocked by the underlying field parser.
diff --git a/src/Zope2/utilities/skel/etc/zope.conf.in b/src/Zope2/utilities/skel/etc/zope.conf.in
index 8cc7742a15..7ef3f157b5 100644
--- a/src/Zope2/utilities/skel/etc/zope.conf.in
+++ b/src/Zope2/utilities/skel/etc/zope.conf.in
@@ -284,6 +284,6 @@ instancehome $INSTANCE
 #    The maximum number of form parameters / fields in a request.
 #    Larger forms are blocked by the underlying field parser.
 # Example:
-#    form-part-limit 128
+#    form-part-limit 1024
 
 </dos_protection>