mirror of
				https://github.com/django/django.git
				synced 2025-10-25 22:56:12 +00:00 
			
		
		
		
	[4.2.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.
Thanks to Jakob Ackermann for the report.
This commit is contained in:
		
				
					committed by
					
						 Carlton Gibson
						Carlton Gibson
					
				
			
			
				
	
			
			
			
						parent
						
							de42d51361
						
					
				
				
					commit
					7ac5ff37b8
				
			| @@ -1,6 +1,11 @@ | ||||
| from django.core.handlers.wsgi import WSGIHandler | ||||
| from django.test import SimpleTestCase, override_settings | ||||
| from django.test.client import FakePayload | ||||
| from django.test.client import ( | ||||
|     BOUNDARY, | ||||
|     MULTIPART_CONTENT, | ||||
|     FakePayload, | ||||
|     encode_multipart, | ||||
| ) | ||||
|  | ||||
|  | ||||
| class ExceptionHandlerTests(SimpleTestCase): | ||||
| @@ -24,3 +29,27 @@ class ExceptionHandlerTests(SimpleTestCase): | ||||
|     def test_data_upload_max_number_fields_exceeded(self): | ||||
|         response = WSGIHandler()(self.get_suspicious_environ(), lambda *a, **k: None) | ||||
|         self.assertEqual(response.status_code, 400) | ||||
|  | ||||
|     @override_settings(DATA_UPLOAD_MAX_NUMBER_FILES=2) | ||||
|     def test_data_upload_max_number_files_exceeded(self): | ||||
|         payload = FakePayload( | ||||
|             encode_multipart( | ||||
|                 BOUNDARY, | ||||
|                 { | ||||
|                     "a.txt": "Hello World!", | ||||
|                     "b.txt": "Hello Django!", | ||||
|                     "c.txt": "Hello Python!", | ||||
|                 }, | ||||
|             ) | ||||
|         ) | ||||
|         environ = { | ||||
|             "REQUEST_METHOD": "POST", | ||||
|             "CONTENT_TYPE": MULTIPART_CONTENT, | ||||
|             "CONTENT_LENGTH": len(payload), | ||||
|             "wsgi.input": payload, | ||||
|             "SERVER_NAME": "test", | ||||
|             "SERVER_PORT": "8000", | ||||
|         } | ||||
|  | ||||
|         response = WSGIHandler()(environ, lambda *a, **k: None) | ||||
|         self.assertEqual(response.status_code, 400) | ||||
|   | ||||
		Reference in New Issue
	
	Block a user