summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorMarkus Holtermann <info@markusholtermann.eu>2022-12-13 10:27:39 +0100
committerCarlton Gibson <carlton.gibson@noumenal.es>2023-02-14 08:21:18 +0100
commit7ac5ff37b822c14e5b6be99da7f618eb1fe06062 (patch)
treeb69f9b45da0675276d7015dd4ca1dbbe105392b8 /docs/ref
parentde42d51361e316a4525440ad953e3a42ea6432b7 (diff)
[4.2.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.
Thanks to Jakob Ackermann for the report.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/exceptions.txt5
-rw-r--r--docs/ref/settings.txt23
2 files changed, 28 insertions, 0 deletions
diff --git a/docs/ref/exceptions.txt b/docs/ref/exceptions.txt
index b588d0ee81..54a31115f0 100644
--- a/docs/ref/exceptions.txt
+++ b/docs/ref/exceptions.txt
@@ -95,12 +95,17 @@ Django core exception classes are defined in ``django.core.exceptions``.
* ``SuspiciousMultipartForm``
* ``SuspiciousSession``
* ``TooManyFieldsSent``
+ * ``TooManyFilesSent``
If a ``SuspiciousOperation`` exception reaches the ASGI/WSGI handler level
it is logged at the ``Error`` level and results in
a :class:`~django.http.HttpResponseBadRequest`. See the :doc:`logging
documentation </topics/logging/>` for more information.
+.. versionchanged:: 3.2.18
+
+ ``SuspiciousOperation`` is raised when too many files are submitted.
+
``PermissionDenied``
--------------------
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 45823f98f9..e36ce9619f 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -1097,6 +1097,28 @@ could be used as a denial-of-service attack vector if left unchecked. Since web
servers don't typically perform deep request inspection, it's not possible to
perform a similar check at that level.
+.. setting:: DATA_UPLOAD_MAX_NUMBER_FILES
+
+``DATA_UPLOAD_MAX_NUMBER_FILES``
+--------------------------------
+
+.. versionadded:: 3.2.18
+
+Default: ``100``
+
+The maximum number of files that may be received via POST in a
+``multipart/form-data`` encoded request before a
+:exc:`~django.core.exceptions.SuspiciousOperation` (``TooManyFiles``) is
+raised. You can set this to ``None`` to disable the check. Applications that
+are expected to receive an unusually large number of file fields should tune
+this setting.
+
+The number of accepted files is correlated to the amount of time and memory
+needed to process the request. Large requests could be used as a
+denial-of-service attack vector if left unchecked. Since web servers don't
+typically perform deep request inspection, it's not possible to perform a
+similar check at that level.
+
.. setting:: DATABASE_ROUTERS
``DATABASE_ROUTERS``
@@ -3775,6 +3797,7 @@ HTTP
----
* :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE`
* :setting:`DATA_UPLOAD_MAX_NUMBER_FIELDS`
+* :setting:`DATA_UPLOAD_MAX_NUMBER_FILES`
* :setting:`DEFAULT_CHARSET`
* :setting:`DISALLOWED_USER_AGENTS`
* :setting:`FORCE_SCRIPT_NAME`