[2.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.

felixxm · felixxm · commit c477b7618049 · 2022-02-01T07:57:28.000+01:00
Thanks Alan Ryan for the report and initial patch. Backport of fc18f36 from main.
diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
@@ -240,6 +240,8 @@ def parse(self):
                                 remaining = len(stripped_chunk) % 4
                                 while remaining != 0:
                                     over_chunk = field_stream.read(4 - remaining)
+                                    if not over_chunk:
+                                        break
                                     stripped_chunk += b"".join(over_chunk.split())
                                     remaining = len(stripped_chunk) % 4
 
diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt
@@ -15,3 +15,9 @@ posing an XSS attack vector.
 In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.
+
+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py
@@ -142,6 +142,26 @@ def test_big_base64_upload(self):
     def test_big_base64_newlines_upload(self):
         self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)
 
+    def test_base64_invalid_upload(self):
+        payload = client.FakePayload('\r\n'.join([
+            '--' + client.BOUNDARY,
+            'Content-Disposition: form-data; name="file"; filename="test.txt"',
+            'Content-Type: application/octet-stream',
+            'Content-Transfer-Encoding: base64',
+            ''
+        ]))
+        payload.write(b'\r\n!\r\n')
+        payload.write('--' + client.BOUNDARY + '--\r\n')
+        r = {
+            'CONTENT_LENGTH': len(payload),
+            'CONTENT_TYPE': client.MULTIPART_CONTENT,
+            'PATH_INFO': '/echo_content/',
+            'REQUEST_METHOD': 'POST',
+            'wsgi.input': payload,
+        }
+        response = self.client.request(**r)
+        self.assertEqual(response.json()['file'], '')
+
     def test_unicode_file_name(self):
         with sys_tempfile.TemporaryDirectory() as temp_dir:
             # This file contains Chinese symbols and an accented char in the name.
