diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2026-03-05 14:41:44 -0300 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-04-07 07:33:47 -0400 |
| commit | 0b467893bdde69a2d23034338e76021a1e4f4322 (patch) | |
| tree | c1afd7bfbda68d3e9bacce5b475af4d906f5659a /docs/releases | |
| parent | 397c22048244db2cd4bb78f570e6c72a3967bf36 (diff) | |
[5.2.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.
When a multipart file part used `Content-Transfer-Encoding: base64` and
the non-whitespace base64 bytes did not align to a multiple of 4 within
a chunk, the parser entered a loop calling `field_stream.read(1-3)` once
per whitespace byte. Each such call fetched the entire internal buffer,
sliced off 1-3 bytes, and pushed the remainder back via unget(), doing
an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace
produced CPU amplification relative to a normal upload of the same size.
The alignment loop now reads `self._chunk_size` bytes at a time, and
accumulates stripped parts in a list joined once at the end.
Thanks to Seokchan Yoon for the report and the fixing patch.
Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main.
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/4.2.30.txt | 10 | ||||
| -rw-r--r-- | docs/releases/5.2.13.txt | 10 |
2 files changed, 20 insertions, 0 deletions
diff --git a/docs/releases/4.2.30.txt b/docs/releases/4.2.30.txt index de19a6f08f..c5058d9b84 100644 --- a/docs/releases/4.2.30.txt +++ b/docs/releases/4.2.30.txt @@ -46,3 +46,13 @@ instances to be created via forged ``POST`` data. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2026-33033: Potential denial-of-service vulnerability in ``MultiPartParser`` via base64-encoded file upload +=============================================================================================================== + +When using ``django.http.multipartparser.MultiPartParser``, multipart uploads +with ``Content-Transfer-Encoding: base64`` that include excessive whitespace +may trigger repeated memory copying, potentially degrading performance. + +This issue has severity "moderate" according to the :ref:`Django security +policy <security-disclosure>`. diff --git a/docs/releases/5.2.13.txt b/docs/releases/5.2.13.txt index 8b303f2700..46303da3c7 100644 --- a/docs/releases/5.2.13.txt +++ b/docs/releases/5.2.13.txt @@ -46,3 +46,13 @@ instances to be created via forged ``POST`` data. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2026-33033: Potential denial-of-service vulnerability in ``MultiPartParser`` via base64-encoded file upload +=============================================================================================================== + +When using ``django.http.multipartparser.MultiPartParser``, multipart uploads +with ``Content-Transfer-Encoding: base64`` that include excessive whitespace +may trigger repeated memory copying, potentially degrading performance. + +This issue has severity "moderate" according to the :ref:`Django security +policy <security-disclosure>`. |