[6.0.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ASGI requests.

nessita · jacobtylerwalls · commit 393dbc53e848 · 2026-04-07T07:22:54.000-04:00
The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews. Backport of 953c238 from main.
diff --git a/django/http/request.py b/django/http/request.py
@@ -1,6 +1,7 @@
 import codecs
 import copy
 import operator
+import os
 from io import BytesIO
 from itertools import chain
 from urllib.parse import parse_qsl, quote, urlencode, urljoin, urlsplit
@@ -385,15 +386,18 @@ def body(self):
                 )
 
             # Limit the maximum request data size that will be handled
-            # in-memory.
-            if (
-                settings.DATA_UPLOAD_MAX_MEMORY_SIZE is not None
-                and int(self.META.get("CONTENT_LENGTH") or 0)
-                > settings.DATA_UPLOAD_MAX_MEMORY_SIZE
-            ):
-                raise RequestDataTooBig(
-                    "Request body exceeded settings.DATA_UPLOAD_MAX_MEMORY_SIZE."
-                )
+            # in-memory. Reject early when Content-Length is present and
+            # already exceeds the limit, avoiding reading the body at all.
+            self._check_data_too_big(int(self.META.get("CONTENT_LENGTH") or 0))
+
+            # Content-Length can be absent or understated (e.g.
+            # `Transfer-Encoding: chunked` on ASGI), so for seekable
+            # streams (e.g. SpooledTemporaryFile on ASGI), check the actual
+            # buffered size before reading it all into memory.
+            if self._stream.seekable():
+                stream_size = self._stream.seek(0, os.SEEK_END)
+                self._check_data_too_big(stream_size)
+                self._stream.seek(0)
 
             try:
                 self._body = self.read()
@@ -404,6 +408,14 @@ def body(self):
             self._stream = BytesIO(self._body)
         return self._body
 
+    def _check_data_too_big(self, length):
+        if (
+            settings.DATA_UPLOAD_MAX_MEMORY_SIZE is not None
+            and length > settings.DATA_UPLOAD_MAX_MEMORY_SIZE
+        ):
+            msg = "Request body exceeded settings.DATA_UPLOAD_MAX_MEMORY_SIZE."
+            raise RequestDataTooBig(msg)
+
     def _mark_post_parse_error(self):
         self._post = QueryDict()
         self._files = MultiValueDict()
diff --git a/docs/releases/4.2.30.txt b/docs/releases/4.2.30.txt
@@ -56,3 +56,14 @@ may trigger repeated memory copying, potentially degrading performance.
 
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
+
+CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
+=========================================================================================================
+
+ASGI requests with a missing or understated ``Content-Length`` header could
+bypass the :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
+``HttpRequest.body``, potentially loading an unbounded request body into
+memory and causing service degradation.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/5.2.13.txt b/docs/releases/5.2.13.txt
@@ -56,3 +56,14 @@ may trigger repeated memory copying, potentially degrading performance.
 
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
+
+CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
+=========================================================================================================
+
+ASGI requests with a missing or understated ``Content-Length`` header could
+bypass the :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
+``HttpRequest.body``, potentially loading an unbounded request body into
+memory and causing service degradation.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/6.0.4.txt b/docs/releases/6.0.4.txt
@@ -57,6 +57,17 @@ may trigger repeated memory copying, potentially degrading performance.
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
 
+CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
+=========================================================================================================
+
+ASGI requests with a missing or understated ``Content-Length`` header could
+bypass the :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
+``HttpRequest.body``, potentially loading an unbounded request body into
+memory and causing service degradation.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
+
 Bugfixes
 ========
 
diff --git a/tests/asgi/tests.py b/tests/asgi/tests.py
@@ -3,6 +3,7 @@
 import tempfile
 import threading
 import time
+from io import BytesIO
 from pathlib import Path
 from unittest.mock import patch
 
@@ -31,6 +32,7 @@
 from .urls import sync_waiter, test_filename
 
 TEST_STATIC_ROOT = Path(__file__).parent / "project" / "static"
+TOO_MUCH_DATA_MSG = "Request body exceeded settings.DATA_UPLOAD_MAX_MEMORY_SIZE."
 
 
 class SignalHandler:
@@ -800,3 +802,166 @@ def test_multiple_cookie_headers_http2(self):
                 request = ASGIRequest(scope, None)
                 self.assertEqual(request.META["HTTP_COOKIE"], "a=abc; b=def; c=ghi")
                 self.assertEqual(request.COOKIES, {"a": "abc", "b": "def", "c": "ghi"})
+
+
+class DataUploadMaxMemorySizeASGITests(SimpleTestCase):
+
+    def make_request(
+        self,
+        body,
+        content_type=b"application/octet-stream",
+        content_length=None,
+        stream=None,
+    ):
+        scope = AsyncRequestFactory()._base_scope(method="POST", path="/")
+        scope["headers"] = [(b"content-type", content_type)]
+        if content_length is not None:
+            scope["headers"].append((b"content-length", str(content_length).encode()))
+        return ASGIRequest(scope, stream if stream is not None else BytesIO(body))
+
+    def test_body_size_not_exceeded_without_content_length(self):
+        body = b"x" * 5
+        with self.settings(DATA_UPLOAD_MAX_MEMORY_SIZE=5):
+            self.assertEqual(self.make_request(body).body, body)
+
+    def test_body_size_exceeded_without_content_length(self):
+        request = self.make_request(b"x" * 10)
+        with (
+            self.settings(DATA_UPLOAD_MAX_MEMORY_SIZE=5),
+            self.assertRaisesMessage(RequestDataTooBig, TOO_MUCH_DATA_MSG),
+        ):
+            request.body
+
+    def test_body_size_check_fires_before_read(self):
+        # The seekable size check rejects oversized bodies before reading
+        # them into memory (i.e. before calling self.read()).
+        class TrackingBytesIO(BytesIO):
+            calls = []
+
+            def read(self, *args, **kwargs):
+                self.calls.append((args, kwargs))
+                return super().read(*args, **kwargs)
+
+        stream = TrackingBytesIO(b"x" * 10)
+        request = self.make_request(b"x" * 10, stream=stream)
+        with (
+            self.settings(DATA_UPLOAD_MAX_MEMORY_SIZE=5),
+            self.assertRaisesMessage(RequestDataTooBig, TOO_MUCH_DATA_MSG),
+        ):
+            request.body
+
+        self.assertEqual(stream.calls, [])
+
+    def test_post_size_exceeded_without_content_length(self):
+        request = self.make_request(
+            b"a=" + b"x" * 10,
+            content_type=b"application/x-www-form-urlencoded",
+        )
+        with (
+            self.settings(DATA_UPLOAD_MAX_MEMORY_SIZE=5),
+            self.assertRaisesMessage(RequestDataTooBig, TOO_MUCH_DATA_MSG),
+        ):
+            request.POST
+
+    def test_no_limit(self):
+        body = b"x" * 100
+        with self.settings(DATA_UPLOAD_MAX_MEMORY_SIZE=None):
+            self.assertEqual(self.make_request(body).body, body)
+
+    async def test_read_body_no_limit(self):
+        chunks = [
+            {"type": "http.request", "body": b"x" * 100, "more_body": True},
+            {"type": "http.request", "body": b"x" * 100, "more_body": False},
+        ]
+
+        async def receive():
+            return chunks.pop(0)
+
+        handler = ASGIHandler()
+        with self.settings(DATA_UPLOAD_MAX_MEMORY_SIZE=None):
+            body_file = await handler.read_body(receive)
+            self.addCleanup(body_file.close)
+
+        body_file.seek(0)
+        self.assertEqual(body_file.read(), b"x" * 200)
+
+    def test_non_multipart_body_size_enforced(self):
+        # DATA_UPLOAD_MAX_MEMORY_SIZE is enforced on non-multipart bodies.
+        request = self.make_request(b"x" * 100)
+        with (
+            self.settings(DATA_UPLOAD_MAX_MEMORY_SIZE=10),
+            self.assertRaisesMessage(RequestDataTooBig, TOO_MUCH_DATA_MSG),
+        ):
+            request.body
+
+    def test_multipart_file_upload_not_limited_by_data_upload_max(self):
+        # DATA_UPLOAD_MAX_MEMORY_SIZE applies to non-file fields only; a file
+        # upload whose total body exceeds the limit must still succeed.
+        boundary = "testboundary"
+        file_content = b"x" * 100
+        body = (
+            (
+                f"--{boundary}\r\n"
+                f'Content-Disposition: form-data; name="file"; filename="test.txt"\r\n'
+                f"Content-Type: application/octet-stream\r\n"
+                f"\r\n"
+            ).encode()
+            + file_content
+            + f"\r\n--{boundary}--\r\n".encode()
+        )
+        request = self.make_request(
+            body,
+            content_type=f"multipart/form-data; boundary={boundary}".encode(),
+            content_length=len(body),
+        )
+        with self.settings(
+            DATA_UPLOAD_MAX_MEMORY_SIZE=10, FILE_UPLOAD_MAX_MEMORY_SIZE=10
+        ):
+            files = request.FILES
+        self.assertEqual(len(files), 1)
+        uploaded = files["file"]
+        self.addCleanup(uploaded.close)
+        self.assertEqual(uploaded.read(), file_content)
+
+    async def test_read_body_buffers_all_chunks(self):
+        # read_body() consumes all chunks regardless of
+        # DATA_UPLOAD_MAX_MEMORY_SIZE; the limit is enforced later when
+        # HttpRequest.body is accessed.
+        chunks = [
+            {"type": "http.request", "body": b"x" * 10, "more_body": True},
+            {"type": "http.request", "body": b"y" * 10, "more_body": True},
+            {"type": "http.request", "body": b"z" * 10, "more_body": False},
+        ]
+
+        async def receive():
+            return chunks.pop(0)
+
+        handler = ASGIHandler()
+        with self.settings(DATA_UPLOAD_MAX_MEMORY_SIZE=15):
+            body_file = await handler.read_body(receive)
+            self.addCleanup(body_file.close)
+
+        self.assertEqual(len(chunks), 0)  # All chunks were consumed.
+        body_file.seek(0)
+        self.assertEqual(body_file.read(), b"x" * 10 + b"y" * 10 + b"z" * 10)
+
+    async def test_read_body_multipart_not_limited(self):
+        # All chunks are consumed regardless of DATA_UPLOAD_MAX_MEMORY_SIZE;
+        # multipart size enforcement happens inside MultiPartParser, not here.
+        chunks = [
+            {"type": "http.request", "body": b"x" * 10, "more_body": True},
+            {"type": "http.request", "body": b"y" * 10, "more_body": True},
+            {"type": "http.request", "body": b"z" * 10, "more_body": False},
+        ]
+
+        async def receive():
+            return chunks.pop(0)
+
+        handler = ASGIHandler()
+        with self.settings(DATA_UPLOAD_MAX_MEMORY_SIZE=15):
+            body_file = await handler.read_body(receive)
+            self.addCleanup(body_file.close)
+
+        self.assertEqual(len(chunks), 0)  # All chunks were consumed.
+        body_file.seek(0)
+        self.assertEqual(body_file.read(), b"x" * 10 + b"y" * 10 + b"z" * 10)
