Thank you! I have tried patching to 4.2.1 which disallows the multiple to be set as True on the form widget. However, I have struggled to get a working implementation up that allows multiple images of a certain file type only to be uploaded. I am now able to accidentally allow all file types up even without one file of the required file type as per the app pre-patch. I.e. pre-patch, the form, if submitted with at least one file of the required types, e.g. a JPG, would pass validation and allow potentially harmful file types up onto the server alongside it. Now I can upload all file types regardless.
Is it best to scrap all multiple file upload implementations that are set to True for multiple once a patch such as this has been released?And bascially start from scratch, adding in approriate validation for each file, say as part of a loop?
Thanks!
On Mon, 12 Jun 2023 at 20:47, Sebastian Jung <sebastian.jung2@gmail.com> wrote:
Use django >= 4.2.1--5t00 <stuartbealesoftware@gmail.com> schrieb am Mo., 12. Juni 2023, 20:32:Hi all,I am new to Django and am looking to demonstrate how the application of a Django patch can prevent against multiple file uploads in light of the recognised vulnerability outlined in CVE-2023-31047.
If anyone is able to point me towards any simple examples of multiple file upload app tutorials or github repositories that would have worked pre-patch, and how they might be updated to allow for multiple file uploads whereby all files are validated safely post-patch, that would be greatly appreciated!
Thanks in advance :) --
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/2b457b78-8ed0-4ff7-a7e3-ac7f620583f3n%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAKGT9mzxPLO6pTWT%2BVraKfF2EqD_HcBxtXtqNtaAu272ZwNNJA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAPBNwvKrRgO4KBCvPa51FMe5xubrNk3zX%2BNEGjfpzD7ke%2BYfOQ%40mail.gmail.com.
No comments:
Post a Comment