diff options
Diffstat (limited to 'docs/releases/3.2.19.txt')
| -rw-r--r-- | docs/releases/3.2.19.txt | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/docs/releases/3.2.19.txt b/docs/releases/3.2.19.txt index c5817e689c..9f9eb3f45c 100644 --- a/docs/releases/3.2.19.txt +++ b/docs/releases/3.2.19.txt @@ -6,4 +6,18 @@ Django 3.2.19 release notes Django 3.2.19 fixes a security issue with severity "low" in 3.2.18. -... +CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field +================================================================================================= + +Uploading multiple files using one form field has never been supported by +:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last +uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` +topic suggested otherwise. + +In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` +and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when +the ``multiple`` HTML attribute is set on them. To prevent the exception and +keep the old behavior, set ``allow_multiple_selected`` to ``True``. + +For more details on using the new attribute and handling of multiple files +through a single field, see :ref:`uploading_multiple_files`. |