diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-04-13 10:10:56 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-05-03 13:43:16 +0200 |
| commit | 21b1b1fc03e5f9e9f8c977ee6e35618dd3b353dd (patch) | |
| tree | 0fc243d8c7e71dae06ace8c746fc88d24d52fed3 /docs/releases/4.1.9.txt | |
| parent | 290fd5ecece400490ad6bb557720d3b76f647eaf (diff) | |
[4.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.
Co-authored-by: Shai Berger <shai@platonix.com>
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
Diffstat (limited to 'docs/releases/4.1.9.txt')
| -rw-r--r-- | docs/releases/4.1.9.txt | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/docs/releases/4.1.9.txt b/docs/releases/4.1.9.txt index 87b6690685..77c2b3547b 100644 --- a/docs/releases/4.1.9.txt +++ b/docs/releases/4.1.9.txt @@ -6,4 +6,18 @@ Django 4.1.9 release notes Django 4.1.9 fixes a security issue with severity "low" in 4.1.8. -... +CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field +================================================================================================= + +Uploading multiple files using one form field has never been supported by +:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last +uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` +topic suggested otherwise. + +In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` +and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when +the ``multiple`` HTML attribute is set on them. To prevent the exception and +keep the old behavior, set ``allow_multiple_selected`` to ``True``. + +For more details on using the new attribute and handling of multiple files +through a single field, see :ref:`uploading_multiple_files`. |