Hi all, I'm really hoping some may be able to help me with this as I am at
a loss trying to understand the identified vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2023-31047, how Django was patched to
protect against multiple file uploads bypassing validation and how to
demonstrate the vulnerability pre-patch, then how to demonstrate it post
patch.

To try and understand it further I have created two Django projects, one
with Django 3.1.2 and one with with Django 4.2.2. I have then branched the
two Django projects, as follows, one branch of each version has no
validation in the and one has file extension validation plus full_clean()
in views.py. If anyone is able to have a look at the Github repositories
and give their expert opinion that would be very much appreciated!

Django Version 3.1.2 branch with no validation:
https://github.com/5t00g1t/simplefileupload/blob/view-with-no-validation-in-for-loop/djangofilesupload/filesupload/views.py
Django Version 3.1.2 branch with validation:
https://github.com/5t00g1t/simplefileupload/blob/view-has-try-and-full_clean()-for-validation-in-for-loop/djangofilesupload/filesupload/views.py
Django Version 4.2.2 branch with no validation:
https://github.com/5t00g1t/simplefileuploadnew/blob/view-with-no-validation-in-for-loop/djangofilesupload/filesupload/views.py
Django Version 4.2.2 branch with validation:
https://github.com/5t00g1t/simplefileuploadnew/blob/view-has-try-and-full_clean()-for-validation-in-for-loop/djangofilesupload/filesupload/views.py

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAPBNwv%2BEz-EPLQbchNtR%3Do-GACmpVoFa2GjvSGwazNwCTe2UDQ%40mail.gmail.com.

Reply via email to