diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-04-13 10:10:56 +0200 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-05-03 13:42:00 +0200 |
commit | fb4c55d9ec4bb812a7fb91fa20510d91645e411b (patch) | |
tree | d903883e061b3412efa07a424d26964532113f4a /docs | |
parent | 8e2460d599aec95f8cfe514d3cc8acdd4ca4b1fb (diff) | |
download | django-fb4c55d9ec4bb812a7fb91fa20510d91645e411b.tar.gz |
Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.
Co-authored-by: Shai Berger <shai@platonix.com>
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/releases/3.2.19.txt | 16 | ||||
-rw-r--r-- | docs/releases/4.1.9.txt | 16 | ||||
-rw-r--r-- | docs/releases/4.2.1.txt | 16 | ||||
-rw-r--r-- | docs/topics/http/file-uploads.txt | 66 |
4 files changed, 104 insertions, 10 deletions
diff --git a/docs/releases/3.2.19.txt b/docs/releases/3.2.19.txt index c5817e689c..9f9eb3f45c 100644 --- a/docs/releases/3.2.19.txt +++ b/docs/releases/3.2.19.txt @@ -6,4 +6,18 @@ Django 3.2.19 release notes Django 3.2.19 fixes a security issue with severity "low" in 3.2.18. -... +CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field +================================================================================================= + +Uploading multiple files using one form field has never been supported by +:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last +uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` +topic suggested otherwise. + +In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` +and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when +the ``multiple`` HTML attribute is set on them. To prevent the exception and +keep the old behavior, set ``allow_multiple_selected`` to ``True``. + +For more details on using the new attribute and handling of multiple files +through a single field, see :ref:`uploading_multiple_files`. diff --git a/docs/releases/4.1.9.txt b/docs/releases/4.1.9.txt index 87b6690685..77c2b3547b 100644 --- a/docs/releases/4.1.9.txt +++ b/docs/releases/4.1.9.txt @@ -6,4 +6,18 @@ Django 4.1.9 release notes Django 4.1.9 fixes a security issue with severity "low" in 4.1.8. -... +CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field +================================================================================================= + +Uploading multiple files using one form field has never been supported by +:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last +uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` +topic suggested otherwise. + +In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` +and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when +the ``multiple`` HTML attribute is set on them. To prevent the exception and +keep the old behavior, set ``allow_multiple_selected`` to ``True``. + +For more details on using the new attribute and handling of multiple files +through a single field, see :ref:`uploading_multiple_files`. diff --git a/docs/releases/4.2.1.txt b/docs/releases/4.2.1.txt index bed64f6ad1..7977e7f088 100644 --- a/docs/releases/4.2.1.txt +++ b/docs/releases/4.2.1.txt @@ -7,6 +7,22 @@ Django 4.2.1 release notes Django 4.2.1 fixes a security issue with severity "low" and several bugs in 4.2. +CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field +================================================================================================= + +Uploading multiple files using one form field has never been supported by +:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last +uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` +topic suggested otherwise. + +In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` +and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when +the ``multiple`` HTML attribute is set on them. To prevent the exception and +keep the old behavior, set ``allow_multiple_selected`` to ``True``. + +For more details on using the new attribute and handling of multiple files +through a single field, see :ref:`uploading_multiple_files`. + Bugfixes ======== diff --git a/docs/topics/http/file-uploads.txt b/docs/topics/http/file-uploads.txt index 7bd071d6c9..cb0fb5b7fb 100644 --- a/docs/topics/http/file-uploads.txt +++ b/docs/topics/http/file-uploads.txt @@ -144,11 +144,27 @@ a :class:`~django.core.files.File` like object to the instance = ModelWithFileField(file_field=content_file) instance.save() +.. _uploading_multiple_files: + Uploading multiple files ------------------------ -If you want to upload multiple files using one form field, set the ``multiple`` -HTML attribute of field's widget: +.. + Tests in tests.forms_tests.field_tests.test_filefield.MultipleFileFieldTest + should be updated after any changes in the following snippets. + +If you want to upload multiple files using one form field, create a subclass +of the field's widget and set the ``allow_multiple_selected`` attribute on it +to ``True``. + +In order for such files to be all validated by your form (and have the value of +the field include them all), you will also have to subclass ``FileField``. See +below for an example. + +.. admonition:: Multiple file field + + Django is likely to have a proper multiple file field support at some point + in the future. .. code-block:: python :caption: ``forms.py`` @@ -156,10 +172,26 @@ HTML attribute of field's widget: from django import forms + class MultipleFileInput(forms.ClearableFileInput): + allow_multiple_selected = True + + + class MultipleFileField(forms.FileField): + def __init__(self, *args, **kwargs): + kwargs.setdefault("widget", MultipleFileInput()) + super().__init__(*args, **kwargs) + + def clean(self, data, initial=None): + single_file_clean = super().clean + if isinstance(data, (list, tuple)): + result = [single_file_clean(d, initial) for d in data] + else: + result = single_file_clean(data, initial) + return result + + class FileFieldForm(forms.Form): - file_field = forms.FileField( - widget=forms.ClearableFileInput(attrs={"multiple": True}) - ) + file_field = MultipleFileField() Then override the ``post`` method of your :class:`~django.views.generic.edit.FormView` subclass to handle multiple file @@ -180,14 +212,32 @@ uploads: def post(self, request, *args, **kwargs): form_class = self.get_form_class() form = self.get_form(form_class) - files = request.FILES.getlist("file_field") if form.is_valid(): - for f in files: - ... # Do something with each file. return self.form_valid(form) else: return self.form_invalid(form) + def form_valid(self, form): + files = form.cleaned_data["file_field"] + for f in files: + ... # Do something with each file. + return super().form_valid() + +.. warning:: + + This will allow you to handle multiple files at the form level only. Be + aware that you cannot use it to put multiple files on a single model + instance (in a single field), for example, even if the custom widget is used + with a form field related to a model ``FileField``. + +.. versionchanged:: 3.2.19 + + In previous versions, there was no support for the ``allow_multiple_selected`` + class attribute, and users were advised to create the widget with the HTML + attribute ``multiple`` set through the ``attrs`` argument. However, this + caused validation of the form field to be applied only to the last file + submitted, which could have adverse security implications. + Upload Handlers =============== |