From fc18f36c4ab94399366ca2f2007b3692559a6f23 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Fri, 21 Jan 2022 07:50:03 +0100 Subject: Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. Thanks Alan Ryan for the report and initial patch. --- tests/file_uploads/tests.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'tests') diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py index 1e20b48d25..522441fd22 100644 --- a/tests/file_uploads/tests.py +++ b/tests/file_uploads/tests.py @@ -139,6 +139,26 @@ class FileUploadTests(TestCase): def test_big_base64_newlines_upload(self): self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes) + def test_base64_invalid_upload(self): + payload = client.FakePayload('\r\n'.join([ + '--' + client.BOUNDARY, + 'Content-Disposition: form-data; name="file"; filename="test.txt"', + 'Content-Type: application/octet-stream', + 'Content-Transfer-Encoding: base64', + '' + ])) + payload.write(b'\r\n!\r\n') + payload.write('--' + client.BOUNDARY + '--\r\n') + r = { + 'CONTENT_LENGTH': len(payload), + 'CONTENT_TYPE': client.MULTIPART_CONTENT, + 'PATH_INFO': '/echo_content/', + 'REQUEST_METHOD': 'POST', + 'wsgi.input': payload, + } + response = self.client.request(**r) + self.assertEqual(response.json()['file'], '') + def test_unicode_file_name(self): with sys_tempfile.TemporaryDirectory() as temp_dir: # This file contains Chinese symbols and an accented char in the name. -- cgit v1.3