File CVE-2022-23833.patch of Package python-Django

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-23833.patch of Package python-Django

From 0f20a6d15c0fd7e2aa5cb0e60ba1e3fa4aa92569 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Fri, 21 Jan 2022 07:50:03 +0100
Subject: [PATCH 2/2] [2.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in
 file uploads.

Thanks Alan Ryan for the report and initial patch.
---
 django/http/multipartparser.py |  2 ++
 docs/releases/2.2.27.txt       |  6 ++++++
 tests/file_uploads/tests.py    | 20 ++++++++++++++++++++
 3 files changed, 28 insertions(+)

diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index 4570ebbaee..259128acef 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -246,6 +246,8 @@ class MultiPartParser:
                                 remaining = len(stripped_chunk) % 4
                                 while remaining != 0:
                                     over_chunk = field_stream.read(4 - remaining)
+                                    if not over_chunk:
+                                        break
                                     stripped_chunk += b"".join(over_chunk.split())
                                     remaining = len(stripped_chunk) % 4
 
diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py
index 3afcbfd4ad..6be88679b8 100644
--- a/tests/file_uploads/tests.py
+++ b/tests/file_uploads/tests.py
@@ -151,6 +151,26 @@ class FileUploadTests(TestCase):
             # encodestring is a deprecated alias on Python 3
             "Big data" * 68000, encode=base64.encodestring if PY2 else base64.encodebytes)
 
+    def test_base64_invalid_upload(self):
+        payload = client.FakePayload('\r\n'.join([
+            '--' + client.BOUNDARY,
+            'Content-Disposition: form-data; name="file"; filename="test.txt"',
+            'Content-Type: application/octet-stream',
+            'Content-Transfer-Encoding: base64',
+            ''
+        ]))
+        payload.write(b'\r\n!\r\n')
+        payload.write('--' + client.BOUNDARY + '--\r\n')
+        r = {
+            'CONTENT_LENGTH': len(payload),
+            'CONTENT_TYPE': client.MULTIPART_CONTENT,
+            'PATH_INFO': '/echo_content/',
+            'REQUEST_METHOD': 'POST',
+            'wsgi.input': payload,
+        }
+        response = self.client.request(**r)
+        self.assertEqual(response.json()['file'], '')
+
     def test_unicode_file_name(self):
         tdir = sys_tempfile.mkdtemp()
         self.addCleanup(shutil.rmtree, tdir, True)
-- 
2.25.1

Places

File CVE-2022-23833.patch of Package python-Django

Places