search

pallets / werkzeug

The comprehensive WSGI web application library.
https://werkzeug.palletsprojects.com
BSD 3-Clause "New" or "Revised" License
6.67k stars 1.73k forks source link

Slow performance parsing certain `Content-Type: application/x-www-form-urlencoded` headers #2904

Closed aneshujevic closed 3 months ago

aneshujevic commented 6 months ago

Slow performance has been affecting parsing headers in requests with Content-Type: application/x-www-form-urlencoded header, when trying to parse the form submitted.

Having minimal application which parses form from request like this:

from flask import Flask, request

app = Flask(__name__)

@app.post("/submit")
def submit():
    return {"username": request.form["username"]}

if __name__ == "__main__":
    app.run()

making a request with specially crafted headers like this:

curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'username=test' 'http://127.0.0.1:5000/submit'

would cause excessive load and making workers timeout.

The request should've been parsed without overloading the worker and extracted the form arguments as usual.

I'm planning to make a PR which should fix this issue.

Environment:

davidism commented 6 months ago

Thank you, happy to review the PR when it's in!