From fb4c55d9ec4bb812a7fb91fa20510d91645e411b Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Thu, 13 Apr 2023 10:10:56 +0200 Subject: Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field. Thanks Moataz Al-Sharida and nawaik for reports. Co-authored-by: Shai Berger Co-authored-by: nessita <124304+nessita@users.noreply.github.com> --- django/forms/widgets.py | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) (limited to 'django') diff --git a/django/forms/widgets.py b/django/forms/widgets.py index b4a9583364..ab7c0f755f 100644 --- a/django/forms/widgets.py +++ b/django/forms/widgets.py @@ -406,17 +406,41 @@ class MultipleHiddenInput(HiddenInput): class FileInput(Input): + allow_multiple_selected = False input_type = "file" needs_multipart_form = True template_name = "django/forms/widgets/file.html" + def __init__(self, attrs=None): + if ( + attrs is not None + and not self.allow_multiple_selected + and attrs.get("multiple", False) + ): + raise ValueError( + "%s doesn't support uploading multiple files." + % self.__class__.__qualname__ + ) + if self.allow_multiple_selected: + if attrs is None: + attrs = {"multiple": True} + else: + attrs.setdefault("multiple", True) + super().__init__(attrs) + def format_value(self, value): """File input never renders a value.""" return def value_from_datadict(self, data, files, name): "File widgets take data from FILES, not POST" - return files.get(name) + getter = files.get + if self.allow_multiple_selected: + try: + getter = files.getlist + except AttributeError: + pass + return getter(name) def value_omitted_from_data(self, data, files, name): return name not in files -- cgit v1.2.1