diff options
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/3.2.19.txt | 16 | ||||
| -rw-r--r-- | docs/releases/4.1.9.txt | 16 | ||||
| -rw-r--r-- | docs/releases/4.2.1.txt | 16 |
3 files changed, 46 insertions, 2 deletions
diff --git a/docs/releases/3.2.19.txt b/docs/releases/3.2.19.txt index c5817e689c..9f9eb3f45c 100644 --- a/docs/releases/3.2.19.txt +++ b/docs/releases/3.2.19.txt @@ -6,4 +6,18 @@ Django 3.2.19 release notes Django 3.2.19 fixes a security issue with severity "low" in 3.2.18. -... +CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field +================================================================================================= + +Uploading multiple files using one form field has never been supported by +:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last +uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` +topic suggested otherwise. + +In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` +and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when +the ``multiple`` HTML attribute is set on them. To prevent the exception and +keep the old behavior, set ``allow_multiple_selected`` to ``True``. + +For more details on using the new attribute and handling of multiple files +through a single field, see :ref:`uploading_multiple_files`. diff --git a/docs/releases/4.1.9.txt b/docs/releases/4.1.9.txt index 87b6690685..77c2b3547b 100644 --- a/docs/releases/4.1.9.txt +++ b/docs/releases/4.1.9.txt @@ -6,4 +6,18 @@ Django 4.1.9 release notes Django 4.1.9 fixes a security issue with severity "low" in 4.1.8. -... +CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field +================================================================================================= + +Uploading multiple files using one form field has never been supported by +:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last +uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` +topic suggested otherwise. + +In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` +and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when +the ``multiple`` HTML attribute is set on them. To prevent the exception and +keep the old behavior, set ``allow_multiple_selected`` to ``True``. + +For more details on using the new attribute and handling of multiple files +through a single field, see :ref:`uploading_multiple_files`. diff --git a/docs/releases/4.2.1.txt b/docs/releases/4.2.1.txt index bed64f6ad1..7977e7f088 100644 --- a/docs/releases/4.2.1.txt +++ b/docs/releases/4.2.1.txt @@ -7,6 +7,22 @@ Django 4.2.1 release notes Django 4.2.1 fixes a security issue with severity "low" and several bugs in 4.2. +CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field +================================================================================================= + +Uploading multiple files using one form field has never been supported by +:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last +uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` +topic suggested otherwise. + +In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` +and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when +the ``multiple`` HTML attribute is set on them. To prevent the exception and +keep the old behavior, set ``allow_multiple_selected`` to ``True``. + +For more details on using the new attribute and handling of multiple files +through a single field, see :ref:`uploading_multiple_files`. + Bugfixes ======== |