Hi all, I'm really hoping some may be able to help me with this as I am at a loss trying to understand the identified vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-31047, how Django was patched to protect against multiple file uploads bypassing validation and how to demonstrate the vulnerability pre-patch, then how to demonstrate it post patch.
To try and understand it further I have created two Django projects, one with Django 3.1.2 and one with with Django 4.2.2. I have then branched the two Django projects, as follows, one branch of each version has no validation in the and one has file extension validation plus full_clean() in views.py. If anyone is able to have a look at the Github repositories and give their expert opinion that would be very much appreciated! Django Version 3.1.2 branch with no validation: https://github.com/5t00g1t/simplefileupload/blob/view-with-no-validation-in-for-loop/djangofilesupload/filesupload/views.py Django Version 3.1.2 branch with validation: https://github.com/5t00g1t/simplefileupload/blob/view-has-try-and-full_clean()-for-validation-in-for-loop/djangofilesupload/filesupload/views.py Django Version 4.2.2 branch with no validation: https://github.com/5t00g1t/simplefileuploadnew/blob/view-with-no-validation-in-for-loop/djangofilesupload/filesupload/views.py Django Version 4.2.2 branch with validation: https://github.com/5t00g1t/simplefileuploadnew/blob/view-has-try-and-full_clean()-for-validation-in-for-loop/djangofilesupload/filesupload/views.py -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAPBNwv%2BEz-EPLQbchNtR%3Do-GACmpVoFa2GjvSGwazNwCTe2UDQ%40mail.gmail.com.
