Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.

Thanks Alan Ryan for the report and initial patch.

1 files changed, 20 insertions, 0 deletions

diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py
index 1e20b48d25..522441fd22 100644
--- a/tests/file_uploads/tests.py
+++ b/tests/file_uploads/tests.py
@@ -139,6 +139,26 @@ class FileUploadTests(TestCase):
     def test_big_base64_newlines_upload(self):
         self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)
 
+    def test_base64_invalid_upload(self):
+        payload = client.FakePayload('\r\n'.join([
+            '--' + client.BOUNDARY,
+            'Content-Disposition: form-data; name="file"; filename="test.txt"',
+            'Content-Type: application/octet-stream',
+            'Content-Transfer-Encoding: base64',
+            ''
+        ]))
+        payload.write(b'\r\n!\r\n')
+        payload.write('--' + client.BOUNDARY + '--\r\n')
+        r = {
+            'CONTENT_LENGTH': len(payload),
+            'CONTENT_TYPE': client.MULTIPART_CONTENT,
+            'PATH_INFO': '/echo_content/',
+            'REQUEST_METHOD': 'POST',
+            'wsgi.input': payload,
+        }
+        response = self.client.request(**r)
+        self.assertEqual(response.json()['file'], '')
+
     def test_unicode_file_name(self):
         with sys_tempfile.TemporaryDirectory() as temp_dir:
             # This file contains Chinese symbols and an accented char in the name.