From 8426e0e6df8a3481c7482d4fbce749bfe77e2e44 Mon Sep 17 00:00:00 2001
From: Gyorgy Sarvari <skandigraun@gmail.com>
Date: Sat, 3 Jan 2026 02:48:45 +0000
Subject: [PATCH] Enforce client_max_size over entire multipart form (#11889)
 (#11908)

From: Sam Bull <git@sambull.org>

(cherry picked from commit ed90718fab5d34c127a283e10385f19440df7dd0)

CVE: CVE-2025-69228
Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 aiohttp/web_request.py       | 2 +-
 tests/test_web_functional.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/aiohttp/web_request.py b/aiohttp/web_request.py
index 96222b0..b5fa40c 100644
--- a/aiohttp/web_request.py
+++ b/aiohttp/web_request.py
@@ -721,8 +721,8 @@ class BaseRequest(MutableMapping[str, Any], HeadersMixin):
             multipart = await self.multipart()
             max_size = self._client_max_size
 
+            size = 0
             while (field := await multipart.next()) is not None:
-                size = 0
                 field_ct = field.headers.get(hdrs.CONTENT_TYPE)
 
                 if isinstance(field, BodyPartReader):
diff --git a/tests/test_web_functional.py b/tests/test_web_functional.py
index c33b3ce..8ec237b 100644
--- a/tests/test_web_functional.py
+++ b/tests/test_web_functional.py
@@ -1705,8 +1705,8 @@ async def test_app_max_client_size(aiohttp_client) -> None:
     await resp.release()
 
 
-async def test_app_max_client_size_adjusted(aiohttp_client) -> None:
-    async def handler(request):
+async def test_app_max_client_size_adjusted(aiohttp_client: AiohttpClient) -> None:
+    async def handler(request: web.Request) -> web.Response:
         await request.post()
         return web.Response(body=b"ok")