Re: [Django] #31710: Added all files validation to the "Uploading multiple files" example.
Django
-------------------------------------+-------------------------------------
Reporter: nawaik | Owner: Mahanth
Type: | kumar
Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mahanth kumar):
* owner: nobody => Mahanth kumar
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/31710#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: nawaik | Owner: Mahanth
Type: | kumar
Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mahanth kumar):
Replying to [comment:3 felixxm]:
> [https://docs.djangoproject.com/en/3.0/topics/http/file-uploads
/#uploading-multiple-files Uploading multiple files] contains only a
simple example how you can handle multiple files, it will validate only
the first file. It's not a bug in `ImageField` because it doesn't support
uploading multiple files.
>
> I agree that we we could improve this example (`forms.py`) with adding
all files validation.
I''m thinking to add a note under the example regarding the all files
validation,Is that Okay?
or how should i improve the forms.py example
--
Ticket URL: <https://code.djangoproject.com/ticket/31710#comment:5>
Django
-------------------------------------+-------------------------------------
Reporter: nawaik | Owner: Mahanth
Type: | kumar
Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: simonbru (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/31710#comment:6>
Django
-------------------------------------+-------------------------------------
Reporter: nawaik | Owner: Mahanth
Type: | kumar
Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by jaspercram):
When I add a validator to the image form (using something like
https://gist.github.com/mobula/da99e4db843b9ceb3a3f ), only the first
image gets validated. I assume that is another consequence of the problem
described above. This way, it is not possible to check if the uploaded
images are not too big. For a developer who is using validators for multi
image uploads, it is hard to detect that the code doesn't behave as
expected.
Shouldn't this be reclassified as a bug?
--
Ticket URL: <https://code.djangoproject.com/ticket/31710#comment:7>
Django
Reporter: nawaik | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Claude Paroz):
* owner: Mahanth kumar => (none)
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/31710#comment:8>
Django
Reporter: nawaik | Owner: Mariusz
Type: | Felisiak <felisiak.mariusz@…>
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* owner: (none) => Mariusz Felisiak <felisiak.mariusz@…>
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"fb4c55d9ec4bb812a7fb91fa20510d91645e411b" fb4c55d]:
{{{
#!CommitTicketReference repository=""
revision="fb4c55d9ec4bb812a7fb91fa20510d91645e411b"
Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of
validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.
Co-authored-by: Shai Berger <sh...@platonix.com>
Co-authored-by: nessita <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31710#comment:9>
Django
-------------------------------------+-------------------------------------
Reporter: nawaik | Owner: Mariusz
Type: | Felisiak <felisiak.mariusz@…>
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"21b1b1fc03e5f9e9f8c977ee6e35618dd3b353dd" 21b1b1fc]:
{{{
#!CommitTicketReference repository=""
revision="21b1b1fc03e5f9e9f8c977ee6e35618dd3b353dd"
[4.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass
of validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.
Co-authored-by: Shai Berger <sh...@platonix.com>
Co-authored-by: nessita <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31710#comment:10>
Django
-------------------------------------+-------------------------------------
Reporter: nawaik | Owner: Mariusz
Type: | Felisiak <felisiak.mariusz@…>
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"e7c3a2ccc3a562328600be05068ed9149e12ce64" e7c3a2c]:
{{{
#!CommitTicketReference repository=""
revision="e7c3a2ccc3a562328600be05068ed9149e12ce64"
[4.1.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass
of validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.
Co-authored-by: Shai Berger <sh...@platonix.com>
Co-authored-by: nessita <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31710#comment:11>
Django
-------------------------------------+-------------------------------------
Reporter: nawaik | Owner: Mariusz
Type: | Felisiak <felisiak.mariusz@…>
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"eed53d0011622e70b936e203005f0e6f4ac48965" eed53d0]:
{{{
#!CommitTicketReference repository=""
revision="eed53d0011622e70b936e203005f0e6f4ac48965"
[3.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass
of validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.
Co-authored-by: Shai Berger <sh...@platonix.com>
Co-authored-by: nessita <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31710#comment:12>
Django
-------------------------------------+-------------------------------------
Reporter: nawaik | Owner: Mariusz
Type: | Felisiak <felisiak.mariusz@…>
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Related PR with docs clarifications:
https://github.com/django/django/pull/18044
Merged in ba4ffdc8771c2f38cf6de26a2b82bbceea2b933a
--
Ticket URL: <https://code.djangoproject.com/ticket/31710#comment:13>