Untested changes by Skip Montanaro to have an optional limit on the

size of uploads to POST (new version of these patches).

Lib/cgi.py

@@ -478,6 +478,10 @@ log = initlog		# The current logging function
 # Parsing functions
 # =================
 
+# Maximum input we will accept when REQUEST_METHOD is POST
+# 0 ==> unlimited input
+maxlen = 0
+
 def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
     """Parse a query in the environment or from a file (default stdin)
 
@@ -508,6 +512,8 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
 	    return parse_multipart(fp, pdict)
 	elif ctype == 'application/x-www-form-urlencoded':
 	    clength = string.atoi(environ['CONTENT_LENGTH'])
+	    if maxlen and clength > maxlen:
+		raise ValueError, 'Maximum content length exceeded'
 	    qs = fp.read(clength)
 	else:
 	    qs = ''			# Unknown content-type
@@ -610,6 +616,8 @@ def parse_multipart(fp, pdict):
 		except string.atoi_error:
 		    pass
 	    if bytes > 0:
+		if maxlen and bytes > maxlen:
+		    raise ValueError, 'Maximum content length exceeded'
 		data = fp.read(bytes)
 	    else:
 		data = ""
@@ -829,6 +837,8 @@ class FieldStorage:
 		clen = string.atoi(self.headers['content-length'])
 	    except:
 		pass
+	    if maxlen and clen > maxlen:
+		raise ValueError, 'Maximum content length exceeded'
 	self.length = clen
 
 	self.list = self.file = None
@@ -1186,6 +1196,19 @@ def test(environ=os.environ):
     except:
 	print_exception()
 
+    # Second try with a small maxlen...
+    global maxlen
+    maxlen = 50
+    try:
+	form = FieldStorage()	# Replace with other classes to test those
+	print_form(form)
+	print_environ(environ)
+	print_directory()
+	print_arguments()
+	print_environ_usage()
+    except:
+	print_exception()
+
 def print_exception(type=None, value=None, tb=None, limit=None):
     if type is None:
 	type, value, tb = sys.exc_type, sys.exc_value, sys.exc_traceback