[3.2.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.

Thanks to Jakob Ackermann for the report.
author: Markus Holtermann <info@markusholtermann.eu> 2022-12-13 10:27:39 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2023-02-07 10:39:25 +0100
commit: a665ed5179f5bbd3db95ce67286d0192eff041d8 (patch)
tree: 5c5873c622efac4be67e05a3db7723034b627a78 /tests
parent: 932b5bd52d8d7e9255264fdbf425e322efac0b97 (diff)
2 files changed, 77 insertions, 2 deletions
diff --git a/tests/handlers/test_exception.py b/tests/handlers/test_exception.py
index 0c1e763990..7de2edaeea 100644
--- a/tests/handlers/test_exception.py
+++ b/tests/handlers/test_exception.py
@@ -1,6 +1,8 @@
 from django.core.handlers.wsgi import WSGIHandler
 from django.test import SimpleTestCase, override_settings
-from django.test.client import FakePayload
+from django.test.client import (
+    BOUNDARY, MULTIPART_CONTENT, FakePayload, encode_multipart,
+)
 
 
 class ExceptionHandlerTests(SimpleTestCase):
@@ -25,3 +27,27 @@ class ExceptionHandlerTests(SimpleTestCase):
     def test_data_upload_max_number_fields_exceeded(self):
         response = WSGIHandler()(self.get_suspicious_environ(), lambda *a, **k: None)
         self.assertEqual(response.status_code, 400)
+
+    @override_settings(DATA_UPLOAD_MAX_NUMBER_FILES=2)
+    def test_data_upload_max_number_files_exceeded(self):
+        payload = FakePayload(
+            encode_multipart(
+                BOUNDARY,
+                {
+                    "a.txt": "Hello World!",
+                    "b.txt": "Hello Django!",
+                    "c.txt": "Hello Python!",
+                },
+            )
+        )
+        environ = {
+            "REQUEST_METHOD": "POST",
+            "CONTENT_TYPE": MULTIPART_CONTENT,
+            "CONTENT_LENGTH": len(payload),
+            "wsgi.input": payload,
+            "SERVER_NAME": "test",
+            "SERVER_PORT": "8000",
+        }
+
+        response = WSGIHandler()(environ, lambda *a, **k: None)
+        self.assertEqual(response.status_code, 400)
diff --git a/tests/requests/test_data_upload_settings.py b/tests/requests/test_data_upload_settings.py
index 44897cc9fa..ded778b422 100644
--- a/tests/requests/test_data_upload_settings.py
+++ b/tests/requests/test_data_upload_settings.py
@@ -1,11 +1,14 @@
 from io import BytesIO
 
-from django.core.exceptions import RequestDataTooBig, TooManyFieldsSent
+from django.core.exceptions import (
+    RequestDataTooBig, TooManyFieldsSent, TooManyFilesSent,
+)
 from django.core.handlers.wsgi import WSGIRequest
 from django.test import SimpleTestCase
 from django.test.client import FakePayload
 
 TOO_MANY_FIELDS_MSG = 'The number of GET/POST parameters exceeded settings.DATA_UPLOAD_MAX_NUMBER_FIELDS.'
+TOO_MANY_FILES_MSG = 'The number of files exceeded settings.DATA_UPLOAD_MAX_NUMBER_FILES.'
 TOO_MUCH_DATA_MSG = 'Request body exceeded settings.DATA_UPLOAD_MAX_MEMORY_SIZE.'
 
 
@@ -166,6 +169,52 @@ class DataUploadMaxNumberOfFieldsMultipartPost(SimpleTestCase):
             self.request._load_post_and_files()
 
 
+class DataUploadMaxNumberOfFilesMultipartPost(SimpleTestCase):
+    def setUp(self):
+        payload = FakePayload(
+            "\r\n".join(
+                [
+                    "--boundary",
+                    (
+                        'Content-Disposition: form-data; name="name1"; '
+                        'filename="name1.txt"'
+                    ),
+                    "",
+                    "value1",
+                    "--boundary",
+                    (
+                        'Content-Disposition: form-data; name="name2"; '
+                        'filename="name2.txt"'
+                    ),
+                    "",
+                    "value2",
+                    "--boundary--",
+                ]
+            )
+        )
+        self.request = WSGIRequest(
+            {
+                "REQUEST_METHOD": "POST",
+                "CONTENT_TYPE": "multipart/form-data; boundary=boundary",
+                "CONTENT_LENGTH": len(payload),
+                "wsgi.input": payload,
+            }
+        )
+
+    def test_number_exceeded(self):
+        with self.settings(DATA_UPLOAD_MAX_NUMBER_FILES=1):
+            with self.assertRaisesMessage(TooManyFilesSent, TOO_MANY_FILES_MSG):
+                self.request._load_post_and_files()
+
+    def test_number_not_exceeded(self):
+        with self.settings(DATA_UPLOAD_MAX_NUMBER_FILES=2):
+            self.request._load_post_and_files()
+
+    def test_no_limit(self):
+        with self.settings(DATA_UPLOAD_MAX_NUMBER_FILES=None):
+            self.request._load_post_and_files()
+
+
 class DataUploadMaxNumberOfFieldsFormPost(SimpleTestCase):
     def setUp(self):
         payload = FakePayload("\r\n".join(['a=1&a=2&a=3', '']))
author	Markus Holtermann <info@markusholtermann.eu>	2022-12-13 10:27:39 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2023-02-07 10:39:25 +0100
commit	a665ed5179f5bbd3db95ce67286d0192eff041d8 (patch)
tree	5c5873c622efac4be67e05a3db7723034b627a78 /tests
parent	932b5bd52d8d7e9255264fdbf425e322efac0b97 (diff)