mirror of
				https://github.com/django/django.git
				synced 2025-10-25 22:56:12 +00:00 
			
		
		
		
	Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
Thanks Alan Ryan for the report and initial patch.
This commit is contained in:
		| @@ -248,6 +248,8 @@ class MultiPartParser: | |||||||
|                                 remaining = len(stripped_chunk) % 4 |                                 remaining = len(stripped_chunk) % 4 | ||||||
|                                 while remaining != 0: |                                 while remaining != 0: | ||||||
|                                     over_chunk = field_stream.read(4 - remaining) |                                     over_chunk = field_stream.read(4 - remaining) | ||||||
|  |                                     if not over_chunk: | ||||||
|  |                                         break | ||||||
|                                     stripped_chunk += b"".join(over_chunk.split()) |                                     stripped_chunk += b"".join(over_chunk.split()) | ||||||
|                                     remaining = len(stripped_chunk) % 4 |                                     remaining = len(stripped_chunk) % 4 | ||||||
|  |  | ||||||
|   | |||||||
| @@ -15,3 +15,9 @@ posing an XSS attack vector. | |||||||
| In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an | In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an | ||||||
| information when the ``DEBUG`` setting is ``False``, and it ensures all context | information when the ``DEBUG`` setting is ``False``, and it ensures all context | ||||||
| variables are correctly escaped when the ``DEBUG`` setting is ``True``. | variables are correctly escaped when the ``DEBUG`` setting is ``True``. | ||||||
|  |  | ||||||
|  | CVE-2022-23833: Denial-of-service possibility in file uploads | ||||||
|  | ============================================================= | ||||||
|  |  | ||||||
|  | Passing certain inputs to multipart forms could result in an infinite loop when | ||||||
|  | parsing files. | ||||||
|   | |||||||
| @@ -15,3 +15,9 @@ posing an XSS attack vector. | |||||||
| In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an | In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an | ||||||
| information when the ``DEBUG`` setting is ``False``, and it ensures all context | information when the ``DEBUG`` setting is ``False``, and it ensures all context | ||||||
| variables are correctly escaped when the ``DEBUG`` setting is ``True``. | variables are correctly escaped when the ``DEBUG`` setting is ``True``. | ||||||
|  |  | ||||||
|  | CVE-2022-23833: Denial-of-service possibility in file uploads | ||||||
|  | ============================================================= | ||||||
|  |  | ||||||
|  | Passing certain inputs to multipart forms could result in an infinite loop when | ||||||
|  | parsing files. | ||||||
|   | |||||||
| @@ -18,6 +18,12 @@ In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an | |||||||
| information when the ``DEBUG`` setting is ``False``, and it ensures all context | information when the ``DEBUG`` setting is ``False``, and it ensures all context | ||||||
| variables are correctly escaped when the ``DEBUG`` setting is ``True``. | variables are correctly escaped when the ``DEBUG`` setting is ``True``. | ||||||
|  |  | ||||||
|  | CVE-2022-23833: Denial-of-service possibility in file uploads | ||||||
|  | ============================================================= | ||||||
|  |  | ||||||
|  | Passing certain inputs to multipart forms could result in an infinite loop when | ||||||
|  | parsing files. | ||||||
|  |  | ||||||
| Bugfixes | Bugfixes | ||||||
| ======== | ======== | ||||||
|  |  | ||||||
|   | |||||||
| @@ -139,6 +139,26 @@ class FileUploadTests(TestCase): | |||||||
|     def test_big_base64_newlines_upload(self): |     def test_big_base64_newlines_upload(self): | ||||||
|         self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes) |         self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes) | ||||||
|  |  | ||||||
|  |     def test_base64_invalid_upload(self): | ||||||
|  |         payload = client.FakePayload('\r\n'.join([ | ||||||
|  |             '--' + client.BOUNDARY, | ||||||
|  |             'Content-Disposition: form-data; name="file"; filename="test.txt"', | ||||||
|  |             'Content-Type: application/octet-stream', | ||||||
|  |             'Content-Transfer-Encoding: base64', | ||||||
|  |             '' | ||||||
|  |         ])) | ||||||
|  |         payload.write(b'\r\n!\r\n') | ||||||
|  |         payload.write('--' + client.BOUNDARY + '--\r\n') | ||||||
|  |         r = { | ||||||
|  |             'CONTENT_LENGTH': len(payload), | ||||||
|  |             'CONTENT_TYPE': client.MULTIPART_CONTENT, | ||||||
|  |             'PATH_INFO': '/echo_content/', | ||||||
|  |             'REQUEST_METHOD': 'POST', | ||||||
|  |             'wsgi.input': payload, | ||||||
|  |         } | ||||||
|  |         response = self.client.request(**r) | ||||||
|  |         self.assertEqual(response.json()['file'], '') | ||||||
|  |  | ||||||
|     def test_unicode_file_name(self): |     def test_unicode_file_name(self): | ||||||
|         with sys_tempfile.TemporaryDirectory() as temp_dir: |         with sys_tempfile.TemporaryDirectory() as temp_dir: | ||||||
|             # This file contains Chinese symbols and an accented char in the name. |             # This file contains Chinese symbols and an accented char in the name. | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user