Demo of CVE-2023-31047 patch

35 views

Skip to first unread message

optimusprime fig

unread,

Jun 19, 2023, 7:27:08 PM6/19/23

to django...@googlegroups.com

Hi all, I'm really hoping some may be able to help me with this as I am at a loss trying to understand the identified vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-31047, how Django was patched to protect against multiple file uploads bypassing validation and how to demonstrate the vulnerability pre-patch, then how to demonstrate it post patch.

To try and understand it further I have created two Django projects, one with Django 3.1.2 and one with with Django 4.2.2. I have then branched the two Django projects, as follows, one branch of each version has no validation in the and one has file extension validation plus full_clean() in views.py. If anyone is able to have a look at the Github repositories and give their expert opinion that would be very much appreciated!

Django Version 3.1.2 branch with no validation: https://github.com/5t00g1t/simplefileupload/blob/view-with-no-validation-in-for-loop/djangofilesupload/filesupload/views.py

Django Version 3.1.2 branch with validation: https://github.com/5t00g1t/simplefileupload/blob/view-has-try-and-full_clean()-for-validation-in-for-loop/djangofilesupload/filesupload/views.py

Django Version 4.2.2 branch with no validation: https://github.com/5t00g1t/simplefileuploadnew/blob/view-with-no-validation-in-for-loop/djangofilesupload/filesupload/views.py

Django Version 4.2.2 branch with validation: https://github.com/5t00g1t/simplefileuploadnew/blob/view-has-try-and-full_clean()-for-validation-in-for-loop/djangofilesupload/filesupload/views.py

Reply all

Reply to author

Forward

0 new messages