Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.

Thanks Alan Ryan for the report and initial patch.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-01-21 07:50:03 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-02-01 07:41:40 +0100
commit: fc18f36c4ab94399366ca2f2007b3692559a6f23 (patch)
tree: 6a501fe6f132e9aa38199758c91d2b0956d4f424 /django/http/multipartparser.py
parent: 394517f07886495efcf79f95c7ee402a9437bd68 (diff)
download: django-fc18f36c4ab94399366ca2f2007b3692559a6f23.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index c3cb90e639..ef0b339d1b 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -248,6 +248,8 @@ class MultiPartParser:
                                 remaining = len(stripped_chunk) % 4
                                 while remaining != 0:
                                     over_chunk = field_stream.read(4 - remaining)
+                                    if not over_chunk:
+                                        break
                                     stripped_chunk += b"".join(over_chunk.split())
                                     remaining = len(stripped_chunk) % 4
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-01-21 07:50:03 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-02-01 07:41:40 +0100
commit	fc18f36c4ab94399366ca2f2007b3692559a6f23 (patch)
tree	6a501fe6f132e9aa38199758c91d2b0956d4f424 /django/http/multipartparser.py
parent	394517f07886495efcf79f95c7ee402a9437bd68 (diff)
download	django-fc18f36c4ab94399366ca2f2007b3692559a6f23.tar.gz