diff options
Diffstat (limited to 'docs/releases/4.1.9.txt')
| -rw-r--r-- | docs/releases/4.1.9.txt | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/docs/releases/4.1.9.txt b/docs/releases/4.1.9.txt index 87b6690685..77c2b3547b 100644 --- a/docs/releases/4.1.9.txt +++ b/docs/releases/4.1.9.txt @@ -6,4 +6,18 @@ Django 4.1.9 release notes Django 4.1.9 fixes a security issue with severity "low" in 4.1.8. -... +CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field +================================================================================================= + +Uploading multiple files using one form field has never been supported by +:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last +uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` +topic suggested otherwise. + +In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` +and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when +the ``multiple`` HTML attribute is set on them. To prevent the exception and +keep the old behavior, set ``allow_multiple_selected`` to ``True``. + +For more details on using the new attribute and handling of multiple files +through a single field, see :ref:`uploading_multiple_files`. |