diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-01-21 07:50:03 +0100 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-02-01 07:41:40 +0100 |
commit | fc18f36c4ab94399366ca2f2007b3692559a6f23 (patch) | |
tree | 6a501fe6f132e9aa38199758c91d2b0956d4f424 /tests/file_uploads | |
parent | 394517f07886495efcf79f95c7ee402a9437bd68 (diff) | |
download | django-fc18f36c4ab94399366ca2f2007b3692559a6f23.tar.gz |
Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
Thanks Alan Ryan for the report and initial patch.
Diffstat (limited to 'tests/file_uploads')
-rw-r--r-- | tests/file_uploads/tests.py | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py index 1e20b48d25..522441fd22 100644 --- a/tests/file_uploads/tests.py +++ b/tests/file_uploads/tests.py @@ -139,6 +139,26 @@ class FileUploadTests(TestCase): def test_big_base64_newlines_upload(self): self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes) + def test_base64_invalid_upload(self): + payload = client.FakePayload('\r\n'.join([ + '--' + client.BOUNDARY, + 'Content-Disposition: form-data; name="file"; filename="test.txt"', + 'Content-Type: application/octet-stream', + 'Content-Transfer-Encoding: base64', + '' + ])) + payload.write(b'\r\n!\r\n') + payload.write('--' + client.BOUNDARY + '--\r\n') + r = { + 'CONTENT_LENGTH': len(payload), + 'CONTENT_TYPE': client.MULTIPART_CONTENT, + 'PATH_INFO': '/echo_content/', + 'REQUEST_METHOD': 'POST', + 'wsgi.input': payload, + } + response = self.client.request(**r) + self.assertEqual(response.json()['file'], '') + def test_unicode_file_name(self): with sys_tempfile.TemporaryDirectory() as temp_dir: # This file contains Chinese symbols and an accented char in the name. |