Slow performance parsing certain Content-Type: application/x-www-form-urlencoded headers

[aneshujevic]

Slow performance has been affecting parsing headers in requests with
Content-Type: application/x-www-form-urlencoded header, when trying to parse the form submitted.

Having minimal application which parses form from request like this:

from flask import Flask, request

app = Flask(__name__)

@app.post("/submit")
def submit():
    return {"username": request.form["username"]}

if __name__ == "__main__":
    app.run()

making a request with specially crafted headers like this:

curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'username=test' 'http://127.0.0.1:5000/submit'

would cause excessive load and making workers timeout.

The request should've been parsed without overloading the worker and extracted the form arguments as usual.

I'm planning to make a PR which should fix this issue.

Environment:

• Python version: latest
• Werkzeug version: latest

[davidism]

Thank you, happy to review the PR when it's in!