oss-sec mailing list archives
Django: CVE-2023-31047 Potential bypass of validation when uploading multiple files using one form field
From: Mariusz Felisiak <felisiak.mariusz () gmail com>
Date: Wed, 3 May 2023 15:27:32 +0200
https://www.djangoproject.com/weblog/2023/may/03/security-releases/ In accordance with `our security release policy<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team
is issuing `Django 4.2.1 <https://docs.djangoproject.com/en/dev/releases/4.2.1/>`_, `Django 4.1.9 <https://docs.djangoproject.com/en/dev/releases/4.1.9/>`_, and `Django 3.2.19 <https://docs.djangoproject.com/en/dev/releases/3.2.19/>`_. These releases addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
================================================================================================= Uploading multiple files using one form field has never been supported by ``forms.FileField`` or ``forms.ImageField`` as only the lastuploaded file was validated. Unfortunately, `Uploading multiple files <https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>`__
topic suggested otherwise. In order to avoid the vulnerability, ``ClearableFileInput`` and `FileInput`` form widgets now raise ``ValueError`` when the ``multiple`` HTML attribute is set on them. To prevent the exception and keep the old behavior, set ``allow_multiple_selected`` to ``True``. For more details on using the new attribute and handling of multiple filesthrough a single field, see `Uploading multiple files <https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>`__.
Thanks Moataz Al-Sharida and nawaik for reports. This issue has severity "low" according to the Django security policy. Affected supported versions =========================== * Django main branch * Django 4.2 * Django 4.1 * Django 3.2 Resolution ==========Patches to resolve the issue have been applied to Django's main branch and the
4.2, 4.1, and 3.2 release branches. The patches may be obtained from the following changesets:* On the `main branch <https://github.com/django/django/commit/fb4c55d9ec4bb812a7fb91fa20510d91645e411b>`__ * On the `4.2 release branch <https://github.com/django/django/commit/21b1b1fc03e5f9e9f8c977ee6e35618dd3b353dd>`__ * On the `4.1 release branch <https://github.com/django/django/commit/e7c3a2ccc3a562328600be05068ed9149e12ce64>`__ * On the `3.2 release branch <https://github.com/django/django/commit/eed53d0011622e70b936e203005f0e6f4ac48965>`__
The following releases have been issued:* Django 4.2.1 (`download Django 4.2.1 <https://www.djangoproject.com/m/releases/4.2/Django-4.2.1.tar.gz>`_ | `4.2.1 checksums <https://www.djangoproject.com/m/pgp/Django-4.2.1.checksum.txt>`_) * Django 4.1.9 (`download Django 4.1.9 <https://www.djangoproject.com/m/releases/4.1/Django-4.1.9.tar.gz>`_ | `4.1.9 checksums <https://www.djangoproject.com/m/pgp/Django-4.1.9.checksum.txt>`_) * Django 3.2.19 (`download Django 3.2.19 <https://www.djangoproject.com/m/releases/3.2/Django-3.2.19.tar.gz>`_ | `3.2.19 checksums <https://www.djangoproject.com/m/pgp/Django-3.2.19.checksum.txt>`_)
The PGP key ID used for this release is Mariusz Felisiak: `2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.
General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``security () djangoproject com``, and not via Django's Trac instance or the django-developers list. Please see `our security policies <https://www.djangoproject.com/security/>`_ for further information.
Current thread:
- Django: CVE-2023-31047 Potential bypass of validation when uploading multiple files using one form field Mariusz Felisiak (May 03)