diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-04-13 10:10:56 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-05-03 13:54:21 +0200 |
| commit | e7c3a2ccc3a562328600be05068ed9149e12ce64 (patch) | |
| tree | 1d09f4922767c53693d30c407764f5e2d079cda2 /django | |
| parent | 491dccec1aa10e829539e4e4fcd8cca606a57ebc (diff) | |
[4.1.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.
Co-authored-by: Shai Berger <shai@platonix.com>
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
Diffstat (limited to 'django')
| -rw-r--r-- | django/forms/widgets.py | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/django/forms/widgets.py b/django/forms/widgets.py index 972267b174..ce0d4f7f1f 100644 --- a/django/forms/widgets.py +++ b/django/forms/widgets.py @@ -413,17 +413,41 @@ class MultipleHiddenInput(HiddenInput): class FileInput(Input): + allow_multiple_selected = False input_type = "file" needs_multipart_form = True template_name = "django/forms/widgets/file.html" + def __init__(self, attrs=None): + if ( + attrs is not None + and not self.allow_multiple_selected + and attrs.get("multiple", False) + ): + raise ValueError( + "%s doesn't support uploading multiple files." + % self.__class__.__qualname__ + ) + if self.allow_multiple_selected: + if attrs is None: + attrs = {"multiple": True} + else: + attrs.setdefault("multiple", True) + super().__init__(attrs) + def format_value(self, value): """File input never renders a value.""" return def value_from_datadict(self, data, files, name): "File widgets take data from FILES, not POST" - return files.get(name) + getter = files.get + if self.allow_multiple_selected: + try: + getter = files.getlist + except AttributeError: + pass + return getter(name) def value_omitted_from_data(self, data, files, name): return name not in files |