Limit size of request body

config

@@ -24,6 +24,9 @@
 # File storing the PID in daemon mode
 #pid =
 
+# Max size of request body (bytes)
+#max_content_length = 10000000
+
 # Socket timeout (seconds)
 #timeout = 10
 

radicale/__init__.py

@@ -301,6 +301,12 @@ class Application:
         # Get content
         content_length = int(environ.get("CONTENT_LENGTH") or 0)
         if content_length:
+            max_content_length = self.configuration.getint(
+                "server", "max_content_length")
+            if max_content_length and content_length > max_content_length:
+                self.logger.debug(
+                    "Request body too large: %d", content_length)
+                return response(client.REQUEST_ENTITY_TOO_LARGE)
             try:
                 content = self.decode(
                     environ["wsgi.input"].read(content_length), environ)

radicale/config.py

@@ -34,6 +34,7 @@ INITIAL_CONFIG = {
         "hosts": "0.0.0.0:5232",
         "daemon": "False",
         "pid": "",
+        "max_content_length": "10000000",
         "timeout": "10",
         "ssl": "False",
         "certificate": "/etc/apache2/ssl/server.crt",