- Add configuration switch for the maximum allowed number of form fields

zopefoundation · Feb 17, 2025 · 68254c0 · 68254c0
1 parent 3217e94
commit 68254c0
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -10,6 +10,9 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 5.12.1 (unreleased)
 -------------------
 
+- Add configuration switch for the maximum allowed number of form fields.
+  ``multipart`` version 1.2.1 introduced a default value of 128.
+
 - Update to newest compatible versions of dependencies.
 
 - Fix Request test data for stricter ``multipart`` parser.

diff --git a/src/ZPublisher/HTTPRequest.py b/src/ZPublisher/HTTPRequest.py
@@ -55,7 +55,7 @@
 
 # DOS attack protection -- limiting the amount of memory for forms
 # probably should become configurable
-FORM_PART_LIMIT = 2 ** 10     # limit for individual form parts
+FORM_PART_LIMIT = 2 ** 7      # limit for individual form parts
 FORM_MEMORY_LIMIT = 2 ** 20   # memory limit for forms
 FORM_DISK_LIMIT = 2 ** 30     # disk limit for forms
 FORM_MEMFILE_LIMIT = 2 ** 12  # limit for `BytesIO` -> temporary file switch

diff --git a/src/Zope2/Startup/tests/test_schema.py b/src/Zope2/Startup/tests/test_schema.py
@@ -195,7 +195,7 @@ def test_dos_protection(self):
         from ZPublisher import HTTPRequest
 
         params = ["FORM_%s_LIMIT" % name
-                  for name in ("MEMORY", "DISK", "MEMFILE")]
+                  for name in ("MEMORY", "DISK", "MEMFILE", "PART")]
         defaults = {name: getattr(HTTPRequest, name) for name in params}
 
         try:
@@ -225,6 +225,7 @@ def test_dos_protection(self):
                   form-memory-limit 1KB
                   form-disk-limit 1KB
                   form-memfile-limit 1KB
+                  form-part-limit 1024
                 </dos_protection>
                 """)
             handleWSGIConfig(None, handler)

diff --git a/src/Zope2/Startup/wsgischema.xml b/src/Zope2/Startup/wsgischema.xml
@@ -143,6 +143,13 @@
        switches from memory to disk.
       </description>
     </key>
+
+    <key name="form-part-limit" datatype="integer" default="128">
+      <description>
+        Limits the maximum number of parameters or form fields. Larger
+        forms are blocked by the underlying field parser.
+      </description>
+    </key>
   </sectiontype>
 
 

diff --git a/src/Zope2/utilities/skel/etc/zope.conf.in b/src/Zope2/utilities/skel/etc/zope.conf.in
@@ -279,4 +279,11 @@ instancehome $INSTANCE
 # Example:
 #    form-memfile-limit 4KB
 
+# Parameter: form-part-limit
+# Description: 
+#    The maximum number of form parameters / fields in a request.
+#    Larger forms are blocked by the underlying field parser.
+# Example:
+#    form-part-limit 128
+
 </dos_protection>