Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.

Thanks Alan Ryan for the report and initial patch.
This commit is contained in:
Mariusz Felisiak 2022-01-21 07:50:03 +01:00
parent 394517f078
commit fc18f36c4a
5 changed files with 40 additions and 0 deletions

View File

@ -248,6 +248,8 @@ class MultiPartParser:
remaining = len(stripped_chunk) % 4 remaining = len(stripped_chunk) % 4
while remaining != 0: while remaining != 0:
over_chunk = field_stream.read(4 - remaining) over_chunk = field_stream.read(4 - remaining)
if not over_chunk:
break
stripped_chunk += b"".join(over_chunk.split()) stripped_chunk += b"".join(over_chunk.split())
remaining = len(stripped_chunk) % 4 remaining = len(stripped_chunk) % 4

View File

@ -15,3 +15,9 @@ posing an XSS attack vector.
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``. variables are correctly escaped when the ``DEBUG`` setting is ``True``.
CVE-2022-23833: Denial-of-service possibility in file uploads
=============================================================
Passing certain inputs to multipart forms could result in an infinite loop when
parsing files.

View File

@ -15,3 +15,9 @@ posing an XSS attack vector.
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``. variables are correctly escaped when the ``DEBUG`` setting is ``True``.
CVE-2022-23833: Denial-of-service possibility in file uploads
=============================================================
Passing certain inputs to multipart forms could result in an infinite loop when
parsing files.

View File

@ -18,6 +18,12 @@ In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``. variables are correctly escaped when the ``DEBUG`` setting is ``True``.
CVE-2022-23833: Denial-of-service possibility in file uploads
=============================================================
Passing certain inputs to multipart forms could result in an infinite loop when
parsing files.
Bugfixes Bugfixes
======== ========

View File

@ -139,6 +139,26 @@ class FileUploadTests(TestCase):
def test_big_base64_newlines_upload(self): def test_big_base64_newlines_upload(self):
self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes) self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)
def test_base64_invalid_upload(self):
payload = client.FakePayload('\r\n'.join([
'--' + client.BOUNDARY,
'Content-Disposition: form-data; name="file"; filename="test.txt"',
'Content-Type: application/octet-stream',
'Content-Transfer-Encoding: base64',
''
]))
payload.write(b'\r\n!\r\n')
payload.write('--' + client.BOUNDARY + '--\r\n')
r = {
'CONTENT_LENGTH': len(payload),
'CONTENT_TYPE': client.MULTIPART_CONTENT,
'PATH_INFO': '/echo_content/',
'REQUEST_METHOD': 'POST',
'wsgi.input': payload,
}
response = self.client.request(**r)
self.assertEqual(response.json()['file'], '')
def test_unicode_file_name(self): def test_unicode_file_name(self):
with sys_tempfile.TemporaryDirectory() as temp_dir: with sys_tempfile.TemporaryDirectory() as temp_dir:
# This file contains Chinese symbols and an accented char in the name. # This file contains Chinese symbols and an accented char in the name.