[4.0.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
Thanks Alan Ryan for the report and initial patch.
Backport of fc18f36c4a
from main.
This commit is contained in:
parent
0142204606
commit
f9c7d48fdd
|
@ -248,6 +248,8 @@ class MultiPartParser:
|
|||
remaining = len(stripped_chunk) % 4
|
||||
while remaining != 0:
|
||||
over_chunk = field_stream.read(4 - remaining)
|
||||
if not over_chunk:
|
||||
break
|
||||
stripped_chunk += b"".join(over_chunk.split())
|
||||
remaining = len(stripped_chunk) % 4
|
||||
|
||||
|
|
|
@ -15,3 +15,9 @@ posing an XSS attack vector.
|
|||
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
|
||||
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
||||
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
||||
|
||||
CVE-2022-23833: Denial-of-service possibility in file uploads
|
||||
=============================================================
|
||||
|
||||
Passing certain inputs to multipart forms could result in an infinite loop when
|
||||
parsing files.
|
||||
|
|
|
@ -15,3 +15,9 @@ posing an XSS attack vector.
|
|||
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
|
||||
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
||||
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
||||
|
||||
CVE-2022-23833: Denial-of-service possibility in file uploads
|
||||
=============================================================
|
||||
|
||||
Passing certain inputs to multipart forms could result in an infinite loop when
|
||||
parsing files.
|
||||
|
|
|
@ -18,6 +18,12 @@ In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
|
|||
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
||||
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
||||
|
||||
CVE-2022-23833: Denial-of-service possibility in file uploads
|
||||
=============================================================
|
||||
|
||||
Passing certain inputs to multipart forms could result in an infinite loop when
|
||||
parsing files.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
||||
|
|
|
@ -139,6 +139,26 @@ class FileUploadTests(TestCase):
|
|||
def test_big_base64_newlines_upload(self):
|
||||
self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)
|
||||
|
||||
def test_base64_invalid_upload(self):
|
||||
payload = client.FakePayload('\r\n'.join([
|
||||
'--' + client.BOUNDARY,
|
||||
'Content-Disposition: form-data; name="file"; filename="test.txt"',
|
||||
'Content-Type: application/octet-stream',
|
||||
'Content-Transfer-Encoding: base64',
|
||||
''
|
||||
]))
|
||||
payload.write(b'\r\n!\r\n')
|
||||
payload.write('--' + client.BOUNDARY + '--\r\n')
|
||||
r = {
|
||||
'CONTENT_LENGTH': len(payload),
|
||||
'CONTENT_TYPE': client.MULTIPART_CONTENT,
|
||||
'PATH_INFO': '/echo_content/',
|
||||
'REQUEST_METHOD': 'POST',
|
||||
'wsgi.input': payload,
|
||||
}
|
||||
response = self.client.request(**r)
|
||||
self.assertEqual(response.json()['file'], '')
|
||||
|
||||
def test_unicode_file_name(self):
|
||||
with sys_tempfile.TemporaryDirectory() as temp_dir:
|
||||
# This file contains Chinese symbols and an accented char in the name.
|
||||
|
|
Loading…
Reference in New Issue