Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Temporarily disable form memory limit checking for files and images. #1729

Merged
merged 2 commits into from
Nov 4, 2023
Merged

Temporarily disable form memory limit checking for files and images. #1729

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
796732d
Allow uploads up to 16 MB.
mauritsvanrees Nov 2, 2023
e1bcbee
Changed patch: temporarily disable form memory limit checking for fil…
mauritsvanrees Nov 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions news/3848.bugfix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Temporarily disable form memory limit checking for files and images.
This fixes a regression due to a low Zope form memory limit of 1MB used since Plone 6.0.7.
See `CMFPlone issue 3848 <https://github.com/plone/Products.CMFPlone/issues/3848>`_ and `Zope PR 1142 <https://github.com/zopefoundation/Zope/pull/1142>`_.
@maurits
1 change: 1 addition & 0 deletions src/plone/restapi/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
from . import patches # noqa: ignore=F401
from AccessControl import allow_module
from AccessControl.Permissions import add_user_folders
from plone.restapi.pas import plugin
Expand Down
3 changes: 3 additions & 0 deletions src/plone/restapi/deserializer/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@


def json_body(request):
# TODO We should not read the complete request BODY in memory.
# Once we have fixed this, we can remove the temporary patches.py.
# See there for background information.
try:
data = json.loads(request.get("BODY") or "{}")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on https://github.com/zopefoundation/Zope/blob/master/src/ZPublisher/HTTPRequest.py#L1061, I think we could do (untested):

body = request.get("BODYFILE")
data = {} if body is None else json.load(body)

This will not actually avoid reading the file into memory (https://pythonspeed.com/articles/json-memory-streaming/ makes it clear that json.load still does that) but would bypass the descriptor that enforces the VALUE_LIMIT.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought BODYFILE would only be defined when an actual file is being uploaded, and not for example when you POST a login and password. But that is not true.

It does not sound like a permanent solution, as this would still offer a way to potentially DOS the server. But maybe very large uploads would still get stopped by one of the other limits. And initial testing seems to work out.

Let me open a different PR, so we still have the current one in case there are problems.

except ValueError:
Expand Down
20 changes: 20 additions & 0 deletions src/plone/restapi/patches.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# TEMPORARY patch for low form memory limit introduced in Zope 5.8.4.
# See https://github.com/plone/Products.CMFPlone/issues/3848
# and https://github.com/zopefoundation/Zope/pull/1180
# Should be removed once `plone.restapi.deserializer.json_body` no longer
# reads the complete request BODY in memory.
from ZPublisher.HTTPRequest import ZopeFieldStorage

import logging


logger = logging.getLogger(__name__)
_attr = "VALUE_LIMIT"
_limit = getattr(ZopeFieldStorage, _attr, None)
if _limit:
setattr(ZopeFieldStorage, _attr, None)
logger.info(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.info(
logger.debug(

I don't feel strongly about this, but it feels like it's probably noise for most people.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't feel strongly about this either, but I think it would be good to have this noticeable, because it may remind us developers that we still need to fix this instead of having this temporary patch.

"PATCH: Disabled ZPublisher.HTTPRequest.ZopeFieldStorage.%s. "
"This enables file uploads larger than 1MB.",
_attr,
)