Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
Thanks Alan Ryan for the report and initial patch.
This commit is contained in:
parent
394517f078
commit
fc18f36c4a
|
@ -248,6 +248,8 @@ class MultiPartParser:
|
||||||
remaining = len(stripped_chunk) % 4
|
remaining = len(stripped_chunk) % 4
|
||||||
while remaining != 0:
|
while remaining != 0:
|
||||||
over_chunk = field_stream.read(4 - remaining)
|
over_chunk = field_stream.read(4 - remaining)
|
||||||
|
if not over_chunk:
|
||||||
|
break
|
||||||
stripped_chunk += b"".join(over_chunk.split())
|
stripped_chunk += b"".join(over_chunk.split())
|
||||||
remaining = len(stripped_chunk) % 4
|
remaining = len(stripped_chunk) % 4
|
||||||
|
|
||||||
|
|
|
@ -15,3 +15,9 @@ posing an XSS attack vector.
|
||||||
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
|
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
|
||||||
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
||||||
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
||||||
|
|
||||||
|
CVE-2022-23833: Denial-of-service possibility in file uploads
|
||||||
|
=============================================================
|
||||||
|
|
||||||
|
Passing certain inputs to multipart forms could result in an infinite loop when
|
||||||
|
parsing files.
|
||||||
|
|
|
@ -15,3 +15,9 @@ posing an XSS attack vector.
|
||||||
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
|
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
|
||||||
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
||||||
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
||||||
|
|
||||||
|
CVE-2022-23833: Denial-of-service possibility in file uploads
|
||||||
|
=============================================================
|
||||||
|
|
||||||
|
Passing certain inputs to multipart forms could result in an infinite loop when
|
||||||
|
parsing files.
|
||||||
|
|
|
@ -18,6 +18,12 @@ In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
|
||||||
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
||||||
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
||||||
|
|
||||||
|
CVE-2022-23833: Denial-of-service possibility in file uploads
|
||||||
|
=============================================================
|
||||||
|
|
||||||
|
Passing certain inputs to multipart forms could result in an infinite loop when
|
||||||
|
parsing files.
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
||||||
|
|
|
@ -139,6 +139,26 @@ class FileUploadTests(TestCase):
|
||||||
def test_big_base64_newlines_upload(self):
|
def test_big_base64_newlines_upload(self):
|
||||||
self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)
|
self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)
|
||||||
|
|
||||||
|
def test_base64_invalid_upload(self):
|
||||||
|
payload = client.FakePayload('\r\n'.join([
|
||||||
|
'--' + client.BOUNDARY,
|
||||||
|
'Content-Disposition: form-data; name="file"; filename="test.txt"',
|
||||||
|
'Content-Type: application/octet-stream',
|
||||||
|
'Content-Transfer-Encoding: base64',
|
||||||
|
''
|
||||||
|
]))
|
||||||
|
payload.write(b'\r\n!\r\n')
|
||||||
|
payload.write('--' + client.BOUNDARY + '--\r\n')
|
||||||
|
r = {
|
||||||
|
'CONTENT_LENGTH': len(payload),
|
||||||
|
'CONTENT_TYPE': client.MULTIPART_CONTENT,
|
||||||
|
'PATH_INFO': '/echo_content/',
|
||||||
|
'REQUEST_METHOD': 'POST',
|
||||||
|
'wsgi.input': payload,
|
||||||
|
}
|
||||||
|
response = self.client.request(**r)
|
||||||
|
self.assertEqual(response.json()['file'], '')
|
||||||
|
|
||||||
def test_unicode_file_name(self):
|
def test_unicode_file_name(self):
|
||||||
with sys_tempfile.TemporaryDirectory() as temp_dir:
|
with sys_tempfile.TemporaryDirectory() as temp_dir:
|
||||||
# This file contains Chinese symbols and an accented char in the name.
|
# This file contains Chinese symbols and an accented char in the name.
|
||||||
|
|
Loading…
Reference in New Issue