request.max_content_length is only enforced when parsing form data

[davidism]

It should be enforced for raw get_data as well. Not sure if it should apply to stream, since at that point you probably know what you're doing.

Also, it's only enforced if the Content-Length header is set, so chunked requests can spin forever and consume memory.

One solution might be to provide a max_input_length to get_input_stream and always return a LimitedStream if it is set.

[davidism]

To summarize: pass request.max_content_length to get_input_stream as a keyword argument for backwards compat, defaulting to None. If content_length and max_content_length are None, return the stream. Otherwise, return a LimitedStream with the minimum of the two values.

[reinderien]

I'm puzzled that this is closed. Using werkzeug via Flask, MAX_CONTENT_LENGTH has no effect unless parsing form data, but it should also take effect in general when receiving a body with Content-Length > 0.

[davidism]

It's three years old, I'm sure I closed it for a reason, but I don't remember what it was off the top of my head.

This is unreliable anyway, use your HTTP server to control the allowed request size.

[reinderien]

Sure; but if it's unreliable, I would offer that it should be removed altogether, rather than staying in with surprising behaviour.

[davidism]

Fixed by #2620