Do not apply max_form_parts to non-multipart data

pallets · May 5, 2023 · 4321c5b · 4321c5b
1 parent 3a4c8d0
commit 4321c5b
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 7 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -8,6 +8,8 @@ Unreleased
 -   ``Authorization.from_header`` and ``WWWAuthenticate.from_header`` detects tokens
     that end with base64 padding (``=``). :issue:`2685`
 -   Remove usage of ``warnings.catch_warnings``. :issue:`2690`
+-   Remove ``max_form_parts`` restriction from standard form data parsing and only use
+    if for multipart content. :pr:`2694`
 
 
 Version 2.3.3

diff --git a/src/werkzeug/formparser.py b/src/werkzeug/formparser.py
@@ -105,8 +105,8 @@ def parse_form_data(
     :param cls: an optional dict class to use.  If this is not specified
                        or `None` the default :class:`MultiDict` is used.
     :param silent: If set to False parsing errors will not be caught.
-    :param max_form_parts: The maximum number of parts to be parsed. If this is
-        exceeded, a :exc:`~exceptions.RequestEntityTooLarge` exception is raised.
+    :param max_form_parts: The maximum number of multipart parts to be parsed. If this
+        is exceeded, a :exc:`~exceptions.RequestEntityTooLarge` exception is raised.
     :return: A tuple in the form ``(stream, form, files)``.
 
     .. versionchanged:: 2.3
@@ -157,8 +157,8 @@ class FormDataParser:
     :param cls: an optional dict class to use.  If this is not specified
                        or `None` the default :class:`MultiDict` is used.
     :param silent: If set to False parsing errors will not be caught.
-    :param max_form_parts: The maximum number of parts to be parsed. If this is
-        exceeded, a :exc:`~exceptions.RequestEntityTooLarge` exception is raised.
+    :param max_form_parts: The maximum number of multipart parts to be parsed. If this
+        is exceeded, a :exc:`~exceptions.RequestEntityTooLarge` exception is raised.
 
     .. versionchanged:: 2.3
         The ``charset`` and ``errors`` parameters are deprecated and will be removed in
@@ -378,7 +378,6 @@ def _parse_urlencoded(
                 keep_blank_values=True,
                 encoding=self.charset,
                 errors="werkzeug.url_quote",
-                max_num_fields=self.max_form_parts,
             )
         except ValueError as e:
             raise RequestEntityTooLarge() from e

diff --git a/tests/test_formparser.py b/tests/test_formparser.py
@@ -126,8 +126,8 @@ def test_x_www_urlencoded_max_form_parts(self):
         r = Request.from_values(method="POST", data={"a": 1, "b": 2})
         r.max_form_parts = 1
 
-        with pytest.raises(RequestEntityTooLarge):
-            r.form
+        assert r.form["a"] == "1"
+        assert r.form["b"] == "2"
 
     def test_missing_multipart_boundary(self):
         data = (