Scrapy 1.4 allows remote attackers to cause a denial of service via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived and S3FilesStore.