net/http: multipart form parsing is hazardous and difficult to configure

[neild]

http.Request helpfully parses multipart/form-data requests, not just explicitly in req.ParseMultipartForm but also implicitly in req.FormFile, req.FormValue, and req.PostFormValue.

Multipart form parsing uses mime/multipart.Reader.ReadForm, which has few limits on resource consumption:

• ReadForm takes a maxMemory parameter, but will allocate up to 10MiB of memory over and above this limit.
• ReadForm will write file form parts to disk, with no limit on the amount of disk consumed.

The defaults here are hazardous: A caller of req.FormValue may not intend to handle multipart/form-data forms at all, and will be surprised that the function can consume large amounts of memory and/or disk. The mechanisms for adjusting the defaults are inadequate: There is no simple way to disable multipart form parsing, to disable the use of disk temporary files, or to limit the memory consumption of ParseMultipartForm to less than 10MiB.

Compatibility may make it impossible to change the defaults, but at a minimum we should make it easy to configure reasonable limits.