Fix CVE-2023-31047

This commit is contained in:
Antoine Bartuccio 2024-06-22 21:16:42 +02:00
parent e681c17a0f
commit e1bf7caa9a
3 changed files with 30 additions and 6 deletions

View File

@ -79,12 +79,37 @@ def send_file(request, file_id, file_class=SithFile, file_attr="file"):
return response return response
class MultipleFileInput(forms.ClearableFileInput):
allow_multiple_selected = True
class _MultipleFieldMixin:
def __init__(self, *args, **kwargs):
kwargs.setdefault("widget", MultipleFileInput())
super().__init__(*args, **kwargs)
def clean(self, data, initial=None):
single_file_clean = super().clean
if isinstance(data, (list, tuple)):
result = [single_file_clean(d, initial) for d in data]
else:
result = [single_file_clean(data, initial)]
return result
class MultipleFileField(_MultipleFieldMixin, forms.FileField):
...
class MultipleImageField(_MultipleFieldMixin, forms.ImageField):
...
class AddFilesForm(forms.Form): class AddFilesForm(forms.Form):
folder_name = forms.CharField( folder_name = forms.CharField(
label=_("Add a new folder"), max_length=30, required=False label=_("Add a new folder"), max_length=30, required=False
) )
file_field = forms.FileField( file_field = MultipleFileField(
widget=forms.ClearableFileInput(attrs={"multiple": True}),
label=_("Files"), label=_("Files"),
required=False, required=False,
) )

View File

@ -20,7 +20,7 @@ homepage = "https://ae.utbm.fr/"
license = "GPL-3.0-only" license = "GPL-3.0-only"
[tool.poetry.dependencies] [tool.poetry.dependencies]
python = "^3.10,<3.12" python = "^3.10,<3.12" # Version is held back by mistune
Django = "^3.2" Django = "^3.2"
Pillow = "^9.2" Pillow = "^9.2"
mistune = "^0.8.4" mistune = "^0.8.4"

View File

@ -30,7 +30,7 @@ from ajax_select import make_ajax_field
from ajax_select.fields import AutoCompleteSelectMultipleField from ajax_select.fields import AutoCompleteSelectMultipleField
from core.views import CanViewMixin, CanEditMixin from core.views import CanViewMixin, CanEditMixin
from core.views.files import send_file, FileView from core.views.files import send_file, FileView, MultipleImageField
from core.models import SithFile, User, Notification, RealGroup from core.models import SithFile, User, Notification, RealGroup
from sas.models import Picture, Album, PeoplePictureRelation from sas.models import Picture, Album, PeoplePictureRelation
@ -40,8 +40,7 @@ class SASForm(forms.Form):
album_name = forms.CharField( album_name = forms.CharField(
label=_("Add a new album"), max_length=30, required=False label=_("Add a new album"), max_length=30, required=False
) )
images = forms.ImageField( images = MultipleImageField(
widget=forms.ClearableFileInput(attrs={"multiple": True}),
label=_("Upload images"), label=_("Upload images"),
required=False, required=False,
) )