Changes between Initial Version and Version 1 of Ticket #14192
- Timestamp:
- Aug 29, 2010, 6:45:14 PM (14 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #14192 – Description
initial v1 1 1 2 2 As per my original email to the django users mailing list: 3 " 3 4 4 Ok so I was looking through the code and I saw this (in 5 5 django/core/files/uploadhandler.py) : 6 6 7 7 {{{ 8 8 FileUploadHandler 9 9 ... … … 17 17 content_length (and sometimes won't even get it). 18 18 """ 19 19 }}} 20 20 So the content_length we control right? - Maybe I missed something but 21 21 ... I can say I want to upload a small file then upload a file that … … 23 23 24 24 And then this. 25 25 {{{ 26 26 class MemoryFileUploadHandler(FileUploadHandler): 27 27 """ … … 72 72 content_type = self.content_type, 73 73 size = file_size, 74 }}} 74 75 75 76 There is a regression test for this BUT --> in the test suite there … … 78 79 (django/tests/regressiontests/file_uploads/uploadhandler.py) 79 80 80 81 {{{ 81 82 def receive_data_chunk(self, raw_data, start): 82 83 self.total_upload += len(raw_data) … … 84 85 raise StopUpload(connection_reset=True) 85 86 return raw_data 87 }}} 86 88 87 89 So obviously my proposed attack is to simply say "content length is … … 90 92 91 93 And the various follow ups, I propose the following fix: 92 93 94 94 95 95 {{{ … … 119 119 120 120 121 "As I understand it an attacker can abuse gzip user requests, if121 As I understand it an attacker can abuse gzip user requests, if 122 122 mod_deflate is enabled (AND configured to decompress incoming user 123 123 requests - this is not the default) in apache2 with a user gziped … … 125 125 126 126 So an attack could do effectively have a file like this: 127 127 {{{ 128 128 f = open("rar", "w") 129 129 string = "" … … 132 132 f.write(string) 133 133 f.close() 134 134 }}} 135 135 ls -lah 20M 2010-08-29 17:15 rar 136 136