[3.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.

Thanks Moataz Al-Sharida and nawaik for reports. Co-authored-by: Shai Berger <shai@platonix.com> Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-04-13 10:10:56 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-05-03 13:58:52 +0200
commit: eed53d0011622e70b936e203005f0e6f4ac48965 (patch)
tree: 175c2c28c419b7bbeda52bc80c53306a6b113062 /tests/forms_tests/widget_tests/test_fileinput.py
parent: 007e46d815063d598e0d3db78bfb371100e5c61c (diff)
1 files changed, 44 insertions, 0 deletions
diff --git a/tests/forms_tests/widget_tests/test_fileinput.py b/tests/forms_tests/widget_tests/test_fileinput.py
index 8eec26253a..8068f70b3b 100644
--- a/tests/forms_tests/widget_tests/test_fileinput.py
+++ b/tests/forms_tests/widget_tests/test_fileinput.py
@@ -1,4 +1,6 @@
+from django.core.files.uploadedfile import SimpleUploadedFile
 from django.forms import FileInput
+from django.utils.datastructures import MultiValueDict
 
 from .base import WidgetTest
 
@@ -24,3 +26,45 @@ class FileInputTest(WidgetTest):
         # user to keep the existing, initial value.
         self.assertIs(self.widget.use_required_attribute(None), True)
         self.assertIs(self.widget.use_required_attribute('resume.txt'), False)
+
+    def test_multiple_error(self):
+        msg = "FileInput doesn't support uploading multiple files."
+        with self.assertRaisesMessage(ValueError, msg):
+            FileInput(attrs={"multiple": True})
+
+    def test_value_from_datadict_multiple(self):
+        class MultipleFileInput(FileInput):
+            allow_multiple_selected = True
+
+        file_1 = SimpleUploadedFile("something1.txt", b"content 1")
+        file_2 = SimpleUploadedFile("something2.txt", b"content 2")
+        # Uploading multiple files is allowed.
+        widget = MultipleFileInput(attrs={"multiple": True})
+        value = widget.value_from_datadict(
+            data={"name": "Test name"},
+            files=MultiValueDict({"myfile": [file_1, file_2]}),
+            name="myfile",
+        )
+        self.assertEqual(value, [file_1, file_2])
+        # Uploading multiple files is not allowed.
+        widget = FileInput()
+        value = widget.value_from_datadict(
+            data={"name": "Test name"},
+            files=MultiValueDict({"myfile": [file_1, file_2]}),
+            name="myfile",
+        )
+        self.assertEqual(value, file_2)
+
+    def test_multiple_default(self):
+        class MultipleFileInput(FileInput):
+            allow_multiple_selected = True
+
+        tests = [
+            (None, True),
+            ({"class": "myclass"}, True),
+            ({"multiple": False}, False),
+        ]
+        for attrs, expected in tests:
+            with self.subTest(attrs=attrs):
+                widget = MultipleFileInput(attrs=attrs)
+                self.assertIs(widget.attrs["multiple"], expected)
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-04-13 10:10:56 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-05-03 13:58:52 +0200
commit	eed53d0011622e70b936e203005f0e6f4ac48965 (patch)
tree	175c2c28c419b7bbeda52bc80c53306a6b113062 /tests/forms_tests/widget_tests/test_fileinput.py
parent	007e46d815063d598e0d3db78bfb371100e5c61c (diff)