diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-04-13 10:10:56 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-05-03 13:58:52 +0200 |
| commit | eed53d0011622e70b936e203005f0e6f4ac48965 (patch) | |
| tree | 175c2c28c419b7bbeda52bc80c53306a6b113062 /django/forms | |
| parent | 007e46d815063d598e0d3db78bfb371100e5c61c (diff) | |
[3.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.
Co-authored-by: Shai Berger <shai@platonix.com>
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
Diffstat (limited to 'django/forms')
| -rw-r--r-- | django/forms/widgets.py | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/django/forms/widgets.py b/django/forms/widgets.py index 1b1c1439cb..8ef82552a1 100644 --- a/django/forms/widgets.py +++ b/django/forms/widgets.py @@ -378,16 +378,40 @@ class MultipleHiddenInput(HiddenInput): class FileInput(Input): input_type = 'file' + allow_multiple_selected = False needs_multipart_form = True template_name = 'django/forms/widgets/file.html' + def __init__(self, attrs=None): + if ( + attrs is not None and + not self.allow_multiple_selected and + attrs.get("multiple", False) + ): + raise ValueError( + "%s doesn't support uploading multiple files." + % self.__class__.__qualname__ + ) + if self.allow_multiple_selected: + if attrs is None: + attrs = {"multiple": True} + else: + attrs.setdefault("multiple", True) + super().__init__(attrs) + def format_value(self, value): """File input never renders a value.""" return def value_from_datadict(self, data, files, name): "File widgets take data from FILES, not POST" - return files.get(name) + getter = files.get + if self.allow_multiple_selected: + try: + getter = files.getlist + except AttributeError: + pass + return getter(name) def value_omitted_from_data(self, data, files, name): return name not in files |