—

PYSEC-2023-61

상세

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / django

최초 영향 버전: 3.2 수정 버전: 3.2.19

수정 pip install --upgrade 'django>=3.2.19'

참고

https://www.djangoproject.com/weblog/2023/may/03/security-releases/ [ADVISORY]
https://docs.djangoproject.com/en/4.2/releases/security/ [ADVISORY]
https://groups.google.com/forum/#!forum/django-announce [ARTICLE]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/ [REPORT]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/ [WEB]
https://github.com/advisories/GHSA-r3xc-prgr-mg9p [ADVISORY]