Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.

Thanks Moataz Al-Sharida and nawaik for reports. Co-authored-by: Shai Berger <shai@platonix.com> Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2025-10-31 09:41:08 +00:00 · 2023-04-13 10:10:56 +02:00
parent 8e2460d599
commit fb4c55d9ec
8 changed files with 245 additions and 12 deletions
--- a/docs/releases/4.2.1.txt
+++ b/docs/releases/4.2.1.txt
@@ -7,6 +7,22 @@ Django 4.2.1 release notes
 Django 4.2.1 fixes a security issue with severity "low" and several bugs in
 4.2.

+CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
+=================================================================================================
+
+Uploading multiple files using one form field has never been supported by
+:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last
+uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files`
+topic suggested otherwise.
+
+In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput`
+and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when
+the ``multiple`` HTML attribute is set on them. To prevent the exception and
+keep the old behavior, set ``allow_multiple_selected`` to ``True``.
+
+For more details on using the new attribute and handling of multiple files
+through a single field, see :ref:`uploading_multiple_files`.
+
 Bugfixes
 ========