From e1bf7caa9afc8359f7791a7f874482d3b4f559e3 Mon Sep 17 00:00:00 2001
From: Sli <antoine@bartuccio.fr>
Date: Sat, 22 Jun 2024 21:16:42 +0200
Subject: [PATCH] Fix CVE-2023-31047

---
 core/views/files.py | 29 +++++++++++++++++++++++++++--
 pyproject.toml      |  2 +-
 sas/views.py        |  5 ++---
 3 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/core/views/files.py b/core/views/files.py
index 1047f381..986477ab 100644
--- a/core/views/files.py
+++ b/core/views/files.py
@@ -79,12 +79,37 @@ def send_file(request, file_id, file_class=SithFile, file_attr="file"):
         return response
 
 
+class MultipleFileInput(forms.ClearableFileInput):
+    allow_multiple_selected = True
+
+
+class _MultipleFieldMixin:
+    def __init__(self, *args, **kwargs):
+        kwargs.setdefault("widget", MultipleFileInput())
+        super().__init__(*args, **kwargs)
+
+    def clean(self, data, initial=None):
+        single_file_clean = super().clean
+        if isinstance(data, (list, tuple)):
+            result = [single_file_clean(d, initial) for d in data]
+        else:
+            result = [single_file_clean(data, initial)]
+        return result
+
+
+class MultipleFileField(_MultipleFieldMixin, forms.FileField):
+    ...
+
+
+class MultipleImageField(_MultipleFieldMixin, forms.ImageField):
+    ...
+
+
 class AddFilesForm(forms.Form):
     folder_name = forms.CharField(
         label=_("Add a new folder"), max_length=30, required=False
     )
-    file_field = forms.FileField(
-        widget=forms.ClearableFileInput(attrs={"multiple": True}),
+    file_field = MultipleFileField(
         label=_("Files"),
         required=False,
     )
diff --git a/pyproject.toml b/pyproject.toml
index 9a8b7d24..a27426eb 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -20,7 +20,7 @@ homepage = "https://ae.utbm.fr/"
 license = "GPL-3.0-only"
 
 [tool.poetry.dependencies]
-python = "^3.10,<3.12"
+python = "^3.10,<3.12" # Version is held back by mistune
 Django = "^3.2"
 Pillow = "^9.2"
 mistune = "^0.8.4"
diff --git a/sas/views.py b/sas/views.py
index ff51fe37..052f7a4e 100644
--- a/sas/views.py
+++ b/sas/views.py
@@ -30,7 +30,7 @@ from ajax_select import make_ajax_field
 from ajax_select.fields import AutoCompleteSelectMultipleField
 
 from core.views import CanViewMixin, CanEditMixin
-from core.views.files import send_file, FileView
+from core.views.files import send_file, FileView, MultipleImageField
 from core.models import SithFile, User, Notification, RealGroup
 
 from sas.models import Picture, Album, PeoplePictureRelation
@@ -40,8 +40,7 @@ class SASForm(forms.Form):
     album_name = forms.CharField(
         label=_("Add a new album"), max_length=30, required=False
     )
-    images = forms.ImageField(
-        widget=forms.ClearableFileInput(attrs={"multiple": True}),
+    images = MultipleImageField(
         label=_("Upload images"),
         required=False,
     )