Django - CVE-2023-24580: Potential denial-of-service vulnerability in file uploads

[Carlton Gibson <carlton.gibson () gmail com>]

Django security releases issued: 4.1.7, 4.0.10, and 3.2.18

Details are available on the Django project weblog:
https://www.djangoproject.com/weblog/2023/feb/14/security-releases/

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django
team
is issuing
`Django 4.1.7 <https://docs.djangoproject.com/en/dev/releases/4.1.7/>`_,
`Django 4.0.10 <https://docs.djangoproject.com/en/dev/releases/4.0.10/>`_,
and
`Django 3.2.18 <https://docs.djangoproject.com/en/dev/releases/3.2.18/>`_.
These releases addresses the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
=========================================================================

Passing certain inputs to multipart forms could result in too many open
files
or memory exhaustion, and provided a potential vector for a
denial-of-service
attack.

The number of files parts parsed is now limited via the new
``DATA_UPLOAD_MAX_NUMBER_FILES`` setting.

Thanks to Jakob Ackermann for the report.

This issue has severity "moderate" according to the Django security policy.

Affected supported versions
===========================

* Django main branch
* Django 4.2 (currently at pre-release alpha status)
* Django 4.1
* Django 4.0
* Django 3.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main branch and
the
4.2, 4.1, 4.0, and 3.2 release branches. The patches may be obtained from
the
following changesets:

* On the `main branch <
https://github.com/django/django/commit/85ac33591c393f1480d4f23b4daff40119cb6410
> `__
* On the `4.2 release branch <
https://github.com/django/django/commit/7ac5ff37b822c14e5b6be99da7f618eb1fe06062
> `__
* On the `4.1 release branch <
https://github.com/django/django/commit/628b33a854a9c68ec8a0c51f382f304a0044ec92
> `__
* On the `4.0 release branch <
https://github.com/django/django/commit/83f1ea83e4553e211c1c5a0dfc197b66d4e50432
> `__
* On the `3.2 release branch <
https://github.com/django/django/commit/a665ed5179f5bbd3db95ce67286d0192eff041d8
> `__

The following releases have been issued:

* Django 4.1.7 (`download Django 4.1.7 <
https://www.djangoproject.com/m/releases/4.1/Django-4.1.7.tar.gz>`_ |
`4.1.7 checksums <
https://www.djangoproject.com/m/pgp/Django-4.1.7.checksum.txt>`_)
* Django 4.0.10 (`download Django 4.0.10 <
https://www.djangoproject.com/m/releases/4.0/Django-4.0.10.tar.gz>`_ |
`4.0.10 checksums <
https://www.djangoproject.com/m/pgp/Django-4.0.10.checksum.txt>`_)
* Django 3.2.18 (`download Django 3.2.18 <
https://www.djangoproject.com/m/releases/3.2/Django-3.2.18.tar.gz>`_ |
`3.2.18 checksums <
https://www.djangoproject.com/m/pgp/Django-3.2.18.checksum.txt>`_)

The PGP key ID used for this release is Carlton Gibson: `E17DF5C82B4F9D00 <
https://github.com/carltongibson.gpg>`_

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.