Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.

Thanks Alan Ryan for the report and initial patch.
2022-01-21 07:50:03 +01:00 · 2022-01-21 07:50:03 +01:00 · fc18f36c4a
parent 394517f078
commit fc18f36c4a
5 changed files with 40 additions and 0 deletions
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@ -248,6 +248,8 @@ class MultiPartParser:
                                remaining = len(stripped_chunk) % 4
                                while remaining != 0:
                                    over_chunk = field_stream.read(4 - remaining)
+                                    if not over_chunk:
+                                        break
                                    stripped_chunk += b"".join(over_chunk.split())
                                    remaining = len(stripped_chunk) % 4

--- a/docs/releases/2.2.27.txt
+++ b/docs/releases/2.2.27.txt
@ -15,3 +15,9 @@ posing an XSS attack vector.
 In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.
+
+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
--- a/docs/releases/3.2.12.txt
+++ b/docs/releases/3.2.12.txt
@ -15,3 +15,9 @@ posing an XSS attack vector.
 In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.
+
+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
--- a/docs/releases/4.0.2.txt
+++ b/docs/releases/4.0.2.txt
@ -18,6 +18,12 @@ In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.

+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
+
 Bugfixes
 ========

--- a/tests/file_uploads/tests.py
+++ b/tests/file_uploads/tests.py
@ -139,6 +139,26 @@ class FileUploadTests(TestCase):
    def test_big_base64_newlines_upload(self):
        self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)

+    def test_base64_invalid_upload(self):
+        payload = client.FakePayload('\r\n'.join([
+            '--' + client.BOUNDARY,
+            'Content-Disposition: form-data; name="file"; filename="test.txt"',
+            'Content-Type: application/octet-stream',
+            'Content-Transfer-Encoding: base64',
+            ''
+        ]))
+        payload.write(b'\r\n!\r\n')
+        payload.write('--' + client.BOUNDARY + '--\r\n')
+        r = {
+            'CONTENT_LENGTH': len(payload),
+            'CONTENT_TYPE': client.MULTIPART_CONTENT,
+            'PATH_INFO': '/echo_content/',
+            'REQUEST_METHOD': 'POST',
+            'wsgi.input': payload,
+        }
+        response = self.client.request(**r)
+        self.assertEqual(response.json()['file'], '')
+
    def test_unicode_file_name(self):
        with sys_tempfile.TemporaryDirectory() as temp_dir:
            # This file contains Chinese symbols and an accented char in the name.