From d16133568ef9c9b42cb7a08bdf9ff3feec2e5468 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Fri, 21 Jan 2022 07:50:03 +0100 Subject: [PATCH] [3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. Thanks Alan Ryan for the report and initial patch. Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main. --- django/http/multipartparser.py | 2 ++ docs/releases/2.2.27.txt | 6 ++++++ docs/releases/3.2.12.txt | 6 ++++++ tests/file_uploads/tests.py | 20 ++++++++++++++++++++ 4 files changed, 34 insertions(+) diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py index f464caa1b4..35a54f4ca1 100644 --- a/django/http/multipartparser.py +++ b/django/http/multipartparser.py @@ -248,6 +248,8 @@ class MultiPartParser: remaining = len(stripped_chunk) % 4 while remaining != 0: over_chunk = field_stream.read(4 - remaining) + if not over_chunk: + break stripped_chunk += b"".join(over_chunk.split()) remaining = len(stripped_chunk) % 4 diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt index b1712c649c..688a482575 100644 --- a/docs/releases/2.2.27.txt +++ b/docs/releases/2.2.27.txt @@ -15,3 +15,9 @@ posing an XSS attack vector. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``. + +CVE-2022-23833: Denial-of-service possibility in file uploads +============================================================= + +Passing certain inputs to multipart forms could result in an infinite loop when +parsing files. diff --git a/docs/releases/3.2.12.txt b/docs/releases/3.2.12.txt index 31bc7d2c59..0907050791 100644 --- a/docs/releases/3.2.12.txt +++ b/docs/releases/3.2.12.txt @@ -15,3 +15,9 @@ posing an XSS attack vector. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``. + +CVE-2022-23833: Denial-of-service possibility in file uploads +============================================================= + +Passing certain inputs to multipart forms could result in an infinite loop when +parsing files. diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py index 7bc8d41dac..18e4174fd0 100644 --- a/tests/file_uploads/tests.py +++ b/tests/file_uploads/tests.py @@ -143,6 +143,26 @@ class FileUploadTests(TestCase): def test_big_base64_newlines_upload(self): self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes) + def test_base64_invalid_upload(self): + payload = client.FakePayload('\r\n'.join([ + '--' + client.BOUNDARY, + 'Content-Disposition: form-data; name="file"; filename="test.txt"', + 'Content-Type: application/octet-stream', + 'Content-Transfer-Encoding: base64', + '' + ])) + payload.write(b'\r\n!\r\n') + payload.write('--' + client.BOUNDARY + '--\r\n') + r = { + 'CONTENT_LENGTH': len(payload), + 'CONTENT_TYPE': client.MULTIPART_CONTENT, + 'PATH_INFO': '/echo_content/', + 'REQUEST_METHOD': 'POST', + 'wsgi.input': payload, + } + response = self.client.request(**r) + self.assertEqual(response.json()['file'], '') + def test_unicode_file_name(self): with sys_tempfile.TemporaryDirectory() as temp_dir: # This file contains Chinese symbols and an accented char in the name.