Thanks, Lucifer. The files, including JPGs are being placed on the server
and I have implemented this code in Views.py
def form_valid(self, form):
files = form.cleaned_data["file_field"]
for f in files:
file_instance = UploadImage(image=f)
file_instance.save()
return super().form_valid()
Am I right in thinking that this is my issue? I have basically allowed all
files to be placed into Model instances once the form has been validated
and not the images themselves?
Thanks
On Tuesday, 13 June 2023 at 00:10:58 UTC+1 Lucifer Black wrote:
> It's only getting stuck in part of the loop because you're not putting a
> action after the phrase you said you are passionate against cve of 23 and
> you are trying to use it as a JPEG image but then you would have to clarify
> where the jpeg image needs to resonate to you're just having it boot loop
> over and over again because you're just telling it to go nowhere I'll fix
> for you in just a second
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
>
> ------------------------------
> *From:* django...@googlegroups.com <django...@googlegroups.com> on behalf
> of optimusprime fig <stuartbea...@gmail.com>
> *Sent:* Monday, June 12, 2023 4:15:33 PM
> *To:* django...@googlegroups.com <django...@googlegroups.com>
> *Subject:* Re: Demonstration of patching against CVE-2023-31047
>
> Thank you! I have tried patching to 4.2.1 which disallows the multiple to
> be set as True on the form widget. However, I have struggled to get a
> working implementation up that allows multiple images of a certain file
> type only to be uploaded. I am now able to accidentally allow all file
> types up even without one file of the required file type as per the app
> pre-patch. I.e. pre-patch, the form, if submitted with at least one file of
> the required types, e.g. a JPG, would pass validation and allow potentially
> harmful file types up onto the server alongside it. Now I can upload all
> file types regardless.
>
> Is it best to scrap all multiple file upload implementations that are set
> to True for multiple once a patch such as this has been released?And
> bascially start from scratch, adding in approriate validation for each
> file, say as part of a loop?
>
> Thanks!
>
> On Mon, 12 Jun 2023 at 20:47, Sebastian Jung <sebasti...@gmail.com> wrote:
>
>> Use django >= 4.2.1
>>
>> https://security.snyk.io/vuln/SNYK-UBUNTU2204-PYTHONDJANGO-5492023
>>
>> 5t00 <stuartbea...@gmail.com> schrieb am Mo., 12. Juni 2023, 20:32:
>>
>>> Hi all,
>>>
>>> I am new to Django and am looking to demonstrate how the application of
>>> a Django patch can prevent against multiple file uploads in light of the
>>> recognised vulnerability outlined in CVE-2023-31047.
>>>
>>> If anyone is able to point me towards any simple examples of multiple
>>> file upload app tutorials or github repositories that would have worked
>>> pre-patch, and how they might be updated to allow for multiple file uploads
>>> whereby all files are validated safely post-patch, that would be greatly
>>> appreciated!
>>>
>>> Thanks in advance :)
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-users...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/django-users/2b457b78-8ed0-4ff7-a7e3-ac7f620583f3n%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/django-users/2b457b78-8ed0-4ff7-a7e3-ac7f620583f3n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/CAKGT9mzxPLO6pTWT%2BVraKfF2EqD_HcBxtXtqNtaAu272ZwNNJA%40mail.gmail.com
>>
>> <https://groups.google.com/d/msgid/django-users/CAKGT9mzxPLO6pTWT%2BVraKfF2EqD_HcBxtXtqNtaAu272ZwNNJA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAPBNwvKrRgO4KBCvPa51FMe5xubrNk3zX%2BNEGjfpzD7ke%2BYfOQ%40mail.gmail.com
>
> <https://groups.google.com/d/msgid/django-users/CAPBNwvKrRgO4KBCvPa51FMe5xubrNk3zX%2BNEGjfpzD7ke%2BYfOQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/b2fb9c70-a5f6-4ee0-a134-cac824121aebn%40googlegroups.com.
