Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-x456-3ccm-m6j4
* Add suggested mitigation against malicious HTML form file input. Test cases and docs not updated. * Make tests pass. Add test specifically for this vulnerability. Fix the `Form.new_control()` method so that it correctly sets the input value if the value is a file object. * Add better documentation about the vulnerability remediation. Wording fix. * tests: Add separate test to check for CVE-2023-34457. * Revert "tests: Add separate test to check for CVE-2023-34457." This reverts commit bd4c6d92a8a803499a447b511bc46b1ba00841d0. * Misc cleanup * No need to raise the error on forms with an enctype that do not upload files (e.g. everything besides multipart). * Make sure that open file inputs are converted to their basename regardless of what kind of form it is to avoid leaking local file paths. * Throw error at time when the file input is set incorrectly, rather than at submission time. * Factor complex repeated logic into their own functions (i.e. for the multipart file input check and invalid file value check). * Fix failing tests. * Avoid excessive whitespace in exception message. * Reorder 'and' operands so the slightly less expensive check comes first. --------- Co-authored-by: Dan Hemberger <daniel.hemberger@gmail.com>
- Loading branch information
Showing
5 changed files
with
96 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters