Add a size limit for request bodies

[dav20011]

Upon reading the request body Django's request objects check the content length and compare it to a size limit set in the config:

# Limit the maximum request data size that will be handled in-memory.
if (settings.DATA_UPLOAD_MAX_MEMORY_SIZE is not None and
        int(self.META.get('CONTENT_LENGTH') or 0) > settings.DATA_UPLOAD_MAX_MEMORY_SIZE):
    raise RequestDataTooBig('Request body exceeded settings.DATA_UPLOAD_MAX_MEMORY_SIZE.')

AsgiRequest objects do not perform this check, which is very dangerous. I was able to spam the server with only a few large request, which made the server incapable of handling any other request.

[andrewgodwin]

Definitely agree, this is verging on a DoS attack.

[ross-weir]

Hi @andrewgodwin . Could I please have a go at adding this one?

[andrewgodwin]

@ross-weir Feel free to have a go and open a pull request with your work!

[jpic]

FYI, this is being re-discussed in #1240 which you're invited to review.