From fc18f36c4ab94399366ca2f2007b3692559a6f23 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Fri, 21 Jan 2022 07:50:03 +0100 Subject: [PATCH] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. Thanks Alan Ryan for the report and initial patch. --- django/http/multipartparser.py | 2 ++ docs/releases/2.2.27.txt | 6 ++++++ docs/releases/3.2.12.txt | 6 ++++++ docs/releases/4.0.2.txt | 6 ++++++ tests/file_uploads/tests.py | 20 ++++++++++++++++++++ 5 files changed, 40 insertions(+) diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py index c3cb90e639..ef0b339d1b 100644 --- a/django/http/multipartparser.py +++ b/django/http/multipartparser.py @@ -248,6 +248,8 @@ class MultiPartParser: remaining = len(stripped_chunk) % 4 while remaining != 0: over_chunk = field_stream.read(4 - remaining) + if not over_chunk: + break stripped_chunk += b"".join(over_chunk.split()) remaining = len(stripped_chunk) % 4 diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt index b1712c649c..688a482575 100644 --- a/docs/releases/2.2.27.txt +++ b/docs/releases/2.2.27.txt @@ -15,3 +15,9 @@ posing an XSS attack vector. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``. + +CVE-2022-23833: Denial-of-service possibility in file uploads +============================================================= + +Passing certain inputs to multipart forms could result in an infinite loop when +parsing files. diff --git a/docs/releases/3.2.12.txt b/docs/releases/3.2.12.txt index 31bc7d2c59..0907050791 100644 --- a/docs/releases/3.2.12.txt +++ b/docs/releases/3.2.12.txt @@ -15,3 +15,9 @@ posing an XSS attack vector. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``. + +CVE-2022-23833: Denial-of-service possibility in file uploads +============================================================= + +Passing certain inputs to multipart forms could result in an infinite loop when +parsing files. diff --git a/docs/releases/4.0.2.txt b/docs/releases/4.0.2.txt index d949d49dd6..05d235a4ff 100644 --- a/docs/releases/4.0.2.txt +++ b/docs/releases/4.0.2.txt @@ -18,6 +18,12 @@ In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``. +CVE-2022-23833: Denial-of-service possibility in file uploads +============================================================= + +Passing certain inputs to multipart forms could result in an infinite loop when +parsing files. + Bugfixes ======== diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py index 1e20b48d25..522441fd22 100644 --- a/tests/file_uploads/tests.py +++ b/tests/file_uploads/tests.py @@ -139,6 +139,26 @@ class FileUploadTests(TestCase): def test_big_base64_newlines_upload(self): self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes) + def test_base64_invalid_upload(self): + payload = client.FakePayload('\r\n'.join([ + '--' + client.BOUNDARY, + 'Content-Disposition: form-data; name="file"; filename="test.txt"', + 'Content-Type: application/octet-stream', + 'Content-Transfer-Encoding: base64', + '' + ])) + payload.write(b'\r\n!\r\n') + payload.write('--' + client.BOUNDARY + '--\r\n') + r = { + 'CONTENT_LENGTH': len(payload), + 'CONTENT_TYPE': client.MULTIPART_CONTENT, + 'PATH_INFO': '/echo_content/', + 'REQUEST_METHOD': 'POST', + 'wsgi.input': payload, + } + response = self.client.request(**r) + self.assertEqual(response.json()['file'], '') + def test_unicode_file_name(self): with sys_tempfile.TemporaryDirectory() as temp_dir: # This file contains Chinese symbols and an accented char in the name.