A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a below:

[2.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. · django/django@c477b76 · GitHub

File tree Expand file treeCollapse file tree 3 files changed

+28

-0

lines changed

Filter options

Expand file treeCollapse file tree 3 files changed

+28

-0

lines changed Original file line number Diff line number Diff line change

@@ -240,6 +240,8 @@ def parse(self):

 240 240

remaining = len(stripped_chunk) % 4

 241 241

while remaining != 0:

 242 242

over_chunk = field_stream.read(4 - remaining)

 243 +

if not over_chunk:

 244 +

break

 243 245

stripped_chunk += b"".join(over_chunk.split())

 244 246

remaining = len(stripped_chunk) % 4

 245 247 Original file line number Diff line number Diff line change

@@ -15,3 +15,9 @@ posing an XSS attack vector.

 15 15

In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an

 16 16

information when the ``DEBUG`` setting is ``False``, and it ensures all context

 17 17

variables are correctly escaped when the ``DEBUG`` setting is ``True``.

 18 + 19 +

CVE-2022-23833: Denial-of-service possibility in file uploads

 20 +

=============================================================

 21 + 22 +

Passing certain inputs to multipart forms could result in an infinite loop when

 23 +

parsing files.

 Original file line number Diff line number Diff line change

@@ -142,6 +142,26 @@ def test_big_base64_upload(self):

 142 142

def test_big_base64_newlines_upload(self):

 143 143

self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)

 144 144 145 +

def test_base64_invalid_upload(self):

 146 +

payload = client.FakePayload('\r\n'.join([

 147 +

'--' + client.BOUNDARY,

 148 +

'Content-Disposition: form-data; name="file"; filename="test.txt"',

 149 +

'Content-Type: application/octet-stream',

 150 +

'Content-Transfer-Encoding: base64',

 151 +

''

 152 +

]))

 153 +

payload.write(b'\r\n!\r\n')

 154 +

payload.write('--' + client.BOUNDARY + '--\r\n')

 155 +

r = {

 156 +

'CONTENT_LENGTH': len(payload),

 157 +

'CONTENT_TYPE': client.MULTIPART_CONTENT,

 158 +

'PATH_INFO': '/echo_content/',

 159 +

'REQUEST_METHOD': 'POST',

 160 +

'wsgi.input': payload,

 161 +

}

 162 +

response = self.client.request(**r)

 163 +

self.assertEqual(response.json()['file'], '')

 164 + 145 165

def test_unicode_file_name(self):

 146 166

with sys_tempfile.TemporaryDirectory() as temp_dir:

 147 167

# This file contains Chinese symbols and an accented char in the name.

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4