Opened 4 years ago

Closed 19 months ago

Last modified 8 months ago

#31710 closed Cleanup/optimization (fixed)

Added all files validation to the "Uploading multiple files" example.

Reported by: nawaik Owned by: Mariusz Felisiak <felisiak.mariusz@…>
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Simon Brulhart Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by nawaik)

When following the multiple files documentation:

https://docs.djangoproject.com/en/3.0/topics/http/file-uploads/#uploading-multiple-files

If you change:

file_field = forms.FileField(widget=forms.ClearableFileInput(attrs={'multiple': True}))

To:

file_field = forms.ImageField(widget=forms.ClearableFileInput(attrs={'multiple': True}))

The file input field looks like this:

<input type="file" name="file_field" multiple="" accept="image/*" required="" id="id_file_field">

If you do inspect element and remove accept="image/*" so it looks like this:

<input type="file" name="file_field" multiple="" required="" id="id_file_field">

If you then only add 1 .txt file everything works fine and you get an error:

"Upload a valid image. The file you uploaded was either not an image or a corrupted image."

However if you upload multiple .txt files or a mix of images and files nothing gets checked and you are able to upload .txt files in imagefields.

I tried this with a fresh project and was able to reproduce the problem.

This is how it looks in the sqlite db:

id	image	                        post_id
4	products/testnow_copy_2.txt	2

Code I used to recreate the problem:

Models.py

from django.db import models

class Product(models.Model):
    title = models.CharField(max_length=50)

class Images(models.Model):
    post = models.ForeignKey(Product, on_delete=models.CASCADE)
    image = models.ImageField(upload_to='products/')

    def __str__(self):
        return self.post.title

Forms.py

from django import forms

from .models import Product

class MultiPhotoForm(forms.ModelForm):
    file_field = forms.ImageField(widget=forms.ClearableFileInput(attrs={'multiple': True}))

    class Meta:
        model = Product
        fields = ['title']

Views.py

from django.shortcuts import render

from .forms import MultiPhotoForm
from .models import Images, Product

def MultiUploadView(request):
    template_name = 'test.html'

    if request.method == "POST":
        form = MultiPhotoForm(request.POST or None, request.FILES or None)
        files = request.FILES.getlist('file_field')
        if form.is_valid():
            title = form.cleaned_data['title']
            product = Product.objects.create(title = title)
            for i in files:
                Images.objects.create(post=product,image=i)
    else:
        form = MultiPhotoForm()
    return render(request, template_name, {'form': form})

Change History (13)

comment:1 by nawaik, 4 years ago

Description: modified (diff)
Version: 3.0master

comment:2 by nawaik, 4 years ago

Type: UncategorizedBug

comment:3 by Mariusz Felisiak, 4 years ago

Component: File uploads/storageDocumentation
Summary: Multi upload with Imagefield allows non image files to be uploadedAdded all files validation to the "Uploading multiple files" example.
Triage Stage: UnreviewedAccepted
Type: BugCleanup/optimization

Uploading multiple files contains only a simple example how you can handle multiple files, it will validate only the first file. It's not a bug in ImageField because it doesn't support uploading multiple files.

I agree that we we could improve this example (forms.py) with adding all files validation.

comment:4 by Mahanth kumar, 4 years ago

Owner: changed from nobody to Mahanth kumar
Status: newassigned

in reply to:  3 comment:5 by Mahanth kumar, 4 years ago

Replying to felixxm:

Uploading multiple files contains only a simple example how you can handle multiple files, it will validate only the first file. It's not a bug in ImageField because it doesn't support uploading multiple files.

I agree that we we could improve this example (forms.py) with adding all files validation.

Im thinking to add a note under the example regarding the all files validation,Is that Okay?
or how should i improve the forms.py example

comment:6 by Simon Brulhart, 4 years ago

Cc: Simon Brulhart added

comment:7 by Jasper Cramwinckel, 4 years ago

When I add a validator to the image form (using something like https://gist.github.com/mobula/da99e4db843b9ceb3a3f ), only the first image gets validated. I assume that is another consequence of the problem described above. This way, it is not possible to check if the uploaded images are not too big. For a developer who is using validators for multi image uploads, it is hard to detect that the code doesn't behave as expected.
Shouldn't this be reclassified as a bug?

Note that in the initial issue description, it is mentioned that when multiple files are uploaded, nothing is checked. When I add a validator to the form, the first file is validated by the validator. So I am not 100% this is the same issue.

Last edited 4 years ago by Jasper Cramwinckel (previous) (diff)

comment:8 by Claude Paroz, 2 years ago

Owner: Mahanth kumar removed
Status: assignednew

comment:9 by Mariusz Felisiak <felisiak.mariusz@…>, 19 months ago

Owner: set to Mariusz Felisiak <felisiak.mariusz@…>
Resolution: fixed
Status: newclosed

In fb4c55d:

Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.

Thanks Moataz Al-Sharida and nawaik for reports.

Co-authored-by: Shai Berger <shai@…>
Co-authored-by: nessita <124304+nessita@…>

comment:10 by Mariusz Felisiak <felisiak.mariusz@…>, 19 months ago

In 21b1b1fc:

[4.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.

Thanks Moataz Al-Sharida and nawaik for reports.

Co-authored-by: Shai Berger <shai@…>
Co-authored-by: nessita <124304+nessita@…>

comment:11 by Mariusz Felisiak <felisiak.mariusz@…>, 19 months ago

In e7c3a2c:

[4.1.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.

Thanks Moataz Al-Sharida and nawaik for reports.

Co-authored-by: Shai Berger <shai@…>
Co-authored-by: nessita <124304+nessita@…>

comment:12 by Mariusz Felisiak <felisiak.mariusz@…>, 19 months ago

In eed53d0:

[3.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.

Thanks Moataz Al-Sharida and nawaik for reports.

Co-authored-by: Shai Berger <shai@…>
Co-authored-by: nessita <124304+nessita@…>

Note: See TracTickets for help on using tickets.
Back to Top