diff options
| author | Markus Holtermann <info@markusholtermann.eu> | 2022-12-13 10:27:39 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2023-02-14 08:24:06 +0100 |
| commit | 628b33a854a9c68ec8a0c51f382f304a0044ec92 (patch) | |
| tree | 3da9d68becb1a4f9170944a6e1591dcc5946db8a /docs | |
| parent | 425c75f56f4f05950826e7e7022ea764f8627eb1 (diff) | |
[4.1.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.
Thanks to Jakob Ackermann for the report.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/exceptions.txt | 5 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 23 | ||||
| -rw-r--r-- | docs/releases/3.2.18.txt | 10 | ||||
| -rw-r--r-- | docs/releases/4.0.10.txt | 10 | ||||
| -rw-r--r-- | docs/releases/4.1.7.txt | 14 |
5 files changed, 57 insertions, 5 deletions
diff --git a/docs/ref/exceptions.txt b/docs/ref/exceptions.txt index 2b567414e6..a2bf41499b 100644 --- a/docs/ref/exceptions.txt +++ b/docs/ref/exceptions.txt @@ -84,12 +84,17 @@ Django core exception classes are defined in ``django.core.exceptions``. * ``SuspiciousMultipartForm`` * ``SuspiciousSession`` * ``TooManyFieldsSent`` + * ``TooManyFilesSent`` If a ``SuspiciousOperation`` exception reaches the ASGI/WSGI handler level it is logged at the ``Error`` level and results in a :class:`~django.http.HttpResponseBadRequest`. See the :doc:`logging documentation </topics/logging/>` for more information. +.. versionchanged:: 3.2.18 + + ``SuspiciousOperation`` is raised when too many files are submitted. + ``PermissionDenied`` -------------------- diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index a61612f49b..218de8f1d7 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -1108,6 +1108,28 @@ could be used as a denial-of-service attack vector if left unchecked. Since web servers don't typically perform deep request inspection, it's not possible to perform a similar check at that level. +.. setting:: DATA_UPLOAD_MAX_NUMBER_FILES + +``DATA_UPLOAD_MAX_NUMBER_FILES`` +-------------------------------- + +.. versionadded:: 3.2.18 + +Default: ``100`` + +The maximum number of files that may be received via POST in a +``multipart/form-data`` encoded request before a +:exc:`~django.core.exceptions.SuspiciousOperation` (``TooManyFiles``) is +raised. You can set this to ``None`` to disable the check. Applications that +are expected to receive an unusually large number of file fields should tune +this setting. + +The number of accepted files is correlated to the amount of time and memory +needed to process the request. Large requests could be used as a +denial-of-service attack vector if left unchecked. Since web servers don't +typically perform deep request inspection, it's not possible to perform a +similar check at that level. + .. setting:: DATABASE_ROUTERS ``DATABASE_ROUTERS`` @@ -3727,6 +3749,7 @@ HTTP ---- * :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` * :setting:`DATA_UPLOAD_MAX_NUMBER_FIELDS` +* :setting:`DATA_UPLOAD_MAX_NUMBER_FILES` * :setting:`DEFAULT_CHARSET` * :setting:`DISALLOWED_USER_AGENTS` * :setting:`FORCE_SCRIPT_NAME` diff --git a/docs/releases/3.2.18.txt b/docs/releases/3.2.18.txt index 431d04c989..46c0feb51e 100644 --- a/docs/releases/3.2.18.txt +++ b/docs/releases/3.2.18.txt @@ -6,4 +6,12 @@ Django 3.2.18 release notes Django 3.2.18 fixes a security issue with severity "moderate" in 3.2.17. -... +CVE-2023-24580: Potential denial-of-service vulnerability in file uploads +========================================================================= + +Passing certain inputs to multipart forms could result in too many open files +or memory exhaustion, and provided a potential vector for a denial-of-service +attack. + +The number of files parts parsed is now limited via the new +:setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting. diff --git a/docs/releases/4.0.10.txt b/docs/releases/4.0.10.txt index b01f8c5b1b..4d076ab40e 100644 --- a/docs/releases/4.0.10.txt +++ b/docs/releases/4.0.10.txt @@ -6,4 +6,12 @@ Django 4.0.10 release notes Django 4.0.10 fixes a security issue with severity "moderate" in 4.0.9. -... +CVE-2023-24580: Potential denial-of-service vulnerability in file uploads +========================================================================= + +Passing certain inputs to multipart forms could result in too many open files +or memory exhaustion, and provided a potential vector for a denial-of-service +attack. + +The number of files parts parsed is now limited via the new +:setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting. diff --git a/docs/releases/4.1.7.txt b/docs/releases/4.1.7.txt index e74d43c0e5..bcc6858d3e 100644 --- a/docs/releases/4.1.7.txt +++ b/docs/releases/4.1.7.txt @@ -4,10 +4,18 @@ Django 4.1.7 release notes *February 14, 2023* -Django 4.1.7 fixes a security issue with severity "moderate" and several bugs -in 4.1.6. +Django 4.1.7 fixes a security issue with severity "moderate" and a bug in +4.1.6. -... +CVE-2023-24580: Potential denial-of-service vulnerability in file uploads +========================================================================= + +Passing certain inputs to multipart forms could result in too many open files +or memory exhaustion, and provided a potential vector for a denial-of-service +attack. + +The number of files parts parsed is now limited via the new +:setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting. Bugfixes ======== |