My understanding is that Django doesn't do any parsing of JSON, XML, etc but rather simply makes such content available as a raw bystring, request.body. Therefore I don't see how Django could offer protection for the cases you mentioned.
On Friday, April 15, 2016 at 6:43:27 PM UTC-4, Cristiano Coelho wrote: > > I have a small concern. > > The two new settings looks like will work on uploaded files count > (multipart encoding types) and number of fields sent (url encoded > encoding). What happens to other request types such as JSON, XML, plain > text etc... If you are using django-rest-framework, how would the fields > counter work?. It would be a shame if only multi part and urlencoded > uploads would have the benefit of these checks, while still allowing json, > xml and others still be "exploited". > Note I didn't really read the code changes completely so I'm talking with > almost no knowledge on the proposed change. > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/75df0b09-e5a3-48c6-8dd1-1072c3ead6e1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
