From 28fad23a3f11bdd4d8e0961344df1c6a5983fc3c Mon Sep 17 00:00:00 2001
From: Malcolm Tredinnick <malcolm.tredinnick@gmail.com>
Date: Sat, 23 Sep 2006 13:53:02 +0000
Subject: [PATCH] A corrected version of r3805.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@3807 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 AUTHORS                      |  1 +
 django/core/handlers/wsgi.py | 26 +++++++++++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/AUTHORS b/AUTHORS
index 88db9bdbf9a..8959a3a746f 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -100,6 +100,7 @@ answer newbie questions, and generally made Django that much better:
     lakin.wecker@gmail.com
     Stuart Langridge <http://www.kryogenix.org/>
     Eugene Lazutkin <http://lazutkin.com/blog/>
+    Jeong-Min Lee
     Christopher Lenz <http://www.cmlenz.net/>
     limodou
     Martin Maney <http://www.chipy.org/Martin_Maney>
diff --git a/django/core/handlers/wsgi.py b/django/core/handlers/wsgi.py
index bf9df57cd67..87e67e9c5b3 100644
--- a/django/core/handlers/wsgi.py
+++ b/django/core/handlers/wsgi.py
@@ -4,6 +4,11 @@ from django.dispatch import dispatcher
 from django.utils import datastructures
 from django import http
 from pprint import pformat
+from shutil import copyfileobj
+try:
+    from cStringIO import StringIO
+except ImportError:
+    from StringIO import StringIO
 
 # See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
 STATUS_CODE_TEXT = {
@@ -50,6 +55,21 @@ STATUS_CODE_TEXT = {
     505: 'HTTP VERSION NOT SUPPORTED',
 }
 
+def safe_copyfileobj(fsrc, fdst, length=16*1024, size=0):
+    """
+    A version of shutil.copyfileobj that will not read more than 'size' bytes.
+    This makes it safe from clients sending more than CONTENT_LENGTH bytes of
+    data in the body.
+    """
+    if not size:
+        return copyfileobj(fsrc, fdst, length)
+    while size > 0:
+        buf = fsrc.read(min(length, size))
+        if not buf:
+            break
+        fdst.write(buf)
+        size -= len(buf)
+
 class WSGIRequest(http.HttpRequest):
     def __init__(self, environ):
         self.environ = environ
@@ -119,7 +139,11 @@ class WSGIRequest(http.HttpRequest):
         try:
             return self._raw_post_data
         except AttributeError:
-            self._raw_post_data = self.environ['wsgi.input'].read(int(self.environ["CONTENT_LENGTH"]))
+            buf = StringIO()
+            content_length = int(self.environ['CONTENT_LENGTH'])
+            safe_copyfileobj(self.environ['wsgi.input'], buf, size=content_length)
+            self._raw_post_data = buf.getvalue()
+            buf.close()
             return self._raw_post_data
 
     GET = property(_get_get, _set_get)