Django: CVE-2023-31047 Potential bypass of validation when uploading multiple files using one form field

[Mariusz Felisiak <felisiak.mariusz () gmail com>]

https://www.djangoproject.com/weblog/2023/may/03/security-releases/

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the 
Django team
is issuing
`Django 4.2.1 <https://docs.djangoproject.com/en/dev/releases/4.2.1/>`_,
`Django 4.1.9 <https://docs.djangoproject.com/en/dev/releases/4.1.9/>`_, and
`Django 3.2.19 <https://docs.djangoproject.com/en/dev/releases/3.2.19/>`_.
These releases addresses the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2023-31047: Potential bypass of validation when uploading multiple 
files using one form field
=================================================================================================

Uploading multiple files using one form field has never been supported by
``forms.FileField`` or ``forms.ImageField`` as only the last
uploaded file was validated. Unfortunately, `Uploading multiple files 
<https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>`__
topic suggested otherwise.

In order to avoid the vulnerability, ``ClearableFileInput``
and `FileInput`` form widgets now raise ``ValueError`` when
the ``multiple`` HTML attribute is set on them. To prevent the exception and
keep the old behavior, set ``allow_multiple_selected`` to ``True``.

For more details on using the new attribute and handling of multiple files
through a single field, see `Uploading multiple files 
<https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>`__.

Thanks Moataz Al-Sharida and nawaik for reports.

This issue has severity "low" according to the Django security policy.

Affected supported versions
===========================

* Django main branch
* Django 4.2
* Django 4.1
* Django 3.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main branch 
and the
4.2, 4.1, and 3.2 release branches. The patches may be obtained from the
following changesets:

* On the `main branch 
<https://github.com/django/django/commit/fb4c55d9ec4bb812a7fb91fa20510d91645e411b>`__
* On the `4.2 release branch 
<https://github.com/django/django/commit/21b1b1fc03e5f9e9f8c977ee6e35618dd3b353dd>`__
* On the `4.1 release branch 
<https://github.com/django/django/commit/e7c3a2ccc3a562328600be05068ed9149e12ce64>`__
* On the `3.2 release branch 
<https://github.com/django/django/commit/eed53d0011622e70b936e203005f0e6f4ac48965>`__

The following releases have been issued:

* Django 4.2.1 (`download Django 4.2.1 
<https://www.djangoproject.com/m/releases/4.2/Django-4.2.1.tar.gz>`_ | 
`4.2.1 checksums 
<https://www.djangoproject.com/m/pgp/Django-4.2.1.checksum.txt>`_)
* Django 4.1.9 (`download Django 4.1.9 
<https://www.djangoproject.com/m/releases/4.1/Django-4.1.9.tar.gz>`_ | 
`4.1.9 checksums 
<https://www.djangoproject.com/m/pgp/Django-4.1.9.checksum.txt>`_)
* Django 3.2.19 (`download Django 3.2.19 
<https://www.djangoproject.com/m/releases/3.2/Django-3.2.19.tar.gz>`_ | 
`3.2.19 checksums 
<https://www.djangoproject.com/m/pgp/Django-3.2.19.checksum.txt>`_)

The PGP key ID used for this release is Mariusz Felisiak: 
`2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.