Demonstration of patching against CVE-2023-31047
270 views
Skip to first unread message
5t00
Jun 12, 2023, 2:32:39 PM6/12/23
to Django users
Hi all,
I am new to Django and am looking to demonstrate how the application of a Django patch can prevent against multiple file uploads in light of the recognised vulnerability outlined in CVE-2023-31047.
If anyone is able to point me towards any simple examples of multiple file upload app tutorials or github repositories that would have worked pre-patch, and how they might be updated to allow for multiple file uploads whereby all files are validated safely post-patch, that would be greatly appreciated!
Thanks in advance :)
Sebastian Jung
Jun 12, 2023, 3:47:35 PM6/12/23
to django...@googlegroups.com
Use django >= 4.2.1
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/2b457b78-8ed0-4ff7-a7e3-ac7f620583f3n%40googlegroups.com.
optimusprime fig
Jun 12, 2023, 5:15:43 PM6/12/23
to django...@googlegroups.com
Thank you! I have tried patching to 4.2.1 which disallows the multiple to be set as True on the form widget. However, I have struggled to get a working implementation up that allows multiple images of a certain file type only to be uploaded. I am now able to accidentally allow all file types up even without one file of the required file type as per the app pre-patch. I.e. pre-patch, the form, if submitted with at least one file of the required types, e.g. a JPG, would pass validation and allow potentially harmful file types up onto the server alongside it. Now I can upload all file types regardless.
Is it best to scrap all multiple file upload implementations that are set to True for multiple once a patch such as this has been released?And bascially start from scratch, adding in approriate validation for each file, say as part of a loop?
Thanks!
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAKGT9mzxPLO6pTWT%2BVraKfF2EqD_HcBxtXtqNtaAu272ZwNNJA%40mail.gmail.com.
Lucifer Black
Jun 12, 2023, 7:10:58 PM6/12/23
to django...@googlegroups.com
It's only getting stuck in part of the loop because you're not putting a action after the phrase you said you are passionate against cve of 23 and you are trying to use it as a JPEG image but then you would have to clarify where the jpeg image
needs to resonate to you're just having it boot loop over and over again because you're just telling it to go nowhere I'll fix for you in just a second
From: django...@googlegroups.com <django...@googlegroups.com> on behalf of optimusprime fig <stuartbea...@gmail.com>
Sent: Monday, June 12, 2023 4:15:33 PM
To: django...@googlegroups.com <django...@googlegroups.com>
Subject: Re: Demonstration of patching against CVE-2023-31047
Sent: Monday, June 12, 2023 4:15:33 PM
To: django...@googlegroups.com <django...@googlegroups.com>
Subject: Re: Demonstration of patching against CVE-2023-31047
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAPBNwvKrRgO4KBCvPa51FMe5xubrNk3zX%2BNEGjfpzD7ke%2BYfOQ%40mail.gmail.com.
5t00
Jun 13, 2023, 4:19:14 AM6/13/23
to Django users
Thanks, Lucifer. The files, including JPGs are being placed on the server and I have implemented this code in Views.py
def form_valid(self, form):
files = form.cleaned_data["file_field"]
for f in files:
file_instance = UploadImage(image=f)
file_instance.save()
return super().form_valid()
Am I right in thinking that this is my issue? I have basically allowed all files to be placed into Model instances once the form has been validated and not the images themselves?
Thanks
5t00
Jun 13, 2023, 7:48:03 AM6/13/23
to Django users
Am also only see the error below when running python -m pip install -U Django then python manage.py makemigrations
files = forms.FileField(widget=forms.ClearableFileInput(attrs={'multiple': True}))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\stuar\simplefileupload\.venv\Lib\site-packages\django\forms\widgets.py", line 427, in __init__
raise ValueError(
ValueError: ClearableFileInput doesn't support uploading multiple files.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\stuar\simplefileupload\.venv\Lib\site-packages\django\forms\widgets.py", line 427, in __init__
raise ValueError(
ValueError: ClearableFileInput doesn't support uploading multiple files.
If I use the command pip install Django==4.2, I am getting no warning about the 'multiple': True setting.
Is this a security concern or just my misunderstanding?
Reply all
Reply to author
Forward
0 new messages