[4.0.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.

Thanks to Jakob Ackermann for the report.
author: Markus Holtermann <info@markusholtermann.eu> 2022-12-13 10:27:39 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2023-02-07 10:36:32 +0100
commit: 83f1ea83e4553e211c1c5a0dfc197b66d4e50432 (patch)
tree: b6d1c0c5b7dc19b61d8af4c192f9b6e7b99b0a38 /django/http/request.py
parent: e5aecded4de78b8ce2048490fc9b12258e8b7623 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/django/http/request.py b/django/http/request.py
index f32d57ba67..a32953e86e 100644
--- a/django/http/request.py
+++ b/django/http/request.py
@@ -14,7 +14,11 @@ from django.core.exceptions import (
     TooManyFieldsSent,
 )
 from django.core.files import uploadhandler
-from django.http.multipartparser import MultiPartParser, MultiPartParserError
+from django.http.multipartparser import (
+    MultiPartParser,
+    MultiPartParserError,
+    TooManyFilesSent,
+)
 from django.utils.datastructures import (
     CaseInsensitiveMapping,
     ImmutableList,
@@ -367,7 +371,7 @@ class HttpRequest:
                 data = self
             try:
                 self._post, self._files = self.parse_file_upload(self.META, data)
-            except MultiPartParserError:
+            except (MultiPartParserError, TooManyFilesSent):
                 # An error occurred while parsing POST data. Since when
                 # formatting the error the request handler might access
                 # self.POST, set self._post and self._file to prevent
author	Markus Holtermann <info@markusholtermann.eu>	2022-12-13 10:27:39 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2023-02-07 10:36:32 +0100
commit	83f1ea83e4553e211c1c5a0dfc197b66d4e50432 (patch)
tree	b6d1c0c5b7dc19b61d8af4c192f9b6e7b99b0a38 /django/http/request.py
parent	e5aecded4de78b8ce2048490fc9b12258e8b7623 (diff)