Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.

Thanks to Jakob Ackermann for the report.
author: Markus Holtermann <info@markusholtermann.eu> 2022-12-13 10:27:39 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2023-02-14 08:18:40 +0100
commit: 85ac33591c393f1480d4f23b4daff40119cb6410 (patch)
tree: 8f3b94059487d9587fc42f0fdc79fc123259b3f9 /django/conf
parent: 1eb94bc8dab46dfa117d21ef4f3b52aebb593615 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 4cca441560..5b15d9617d 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -313,6 +313,10 @@ DATA_UPLOAD_MAX_MEMORY_SIZE = 2621440  # i.e. 2.5 MB
 # SuspiciousOperation (TooManyFieldsSent) is raised.
 DATA_UPLOAD_MAX_NUMBER_FIELDS = 1000
 
+# Maximum number of files encoded in a multipart upload that will be read
+# before a SuspiciousOperation (TooManyFilesSent) is raised.
+DATA_UPLOAD_MAX_NUMBER_FILES = 100
+
 # Directory in which upload streamed files will be temporarily saved. A value of
 # `None` will make Django use the operating system's default temporary directory
 # (i.e. "/tmp" on *nix systems).
author	Markus Holtermann <info@markusholtermann.eu>	2022-12-13 10:27:39 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2023-02-14 08:18:40 +0100
commit	85ac33591c393f1480d4f23b4daff40119cb6410 (patch)
tree	8f3b94059487d9587fc42f0fdc79fc123259b3f9 /django/conf
parent	1eb94bc8dab46dfa117d21ef4f3b52aebb593615 (diff)