Changelog
python-django (3:3.2.19-1) unstable; urgency=medium
* New upstream security release.
* CVE-2023-31047: Prevent a potential bypass of validation when uploading
multiple files using one form field.
Uploading multiple files using one form field has never been supported by
forms.FileField or forms.ImageField as only the last uploaded file was
validated. Unfortunately, Uploading multiple files topic suggested
otherwise. In order to avoid the vulnerability, the ClearableFileInput and
FileInput form widgets now raise ValueError when the multiple HTML
attribute is set on them. To prevent the exception and keep the old
behavior, set the allow_multiple_selected attribute to True.
For more details on using the new attribute and handling of multiple files
through a single field, see:
<https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>
(Closes: #1035467)
* Bump Standards-Version to 4.6.2.
-- Chris Lamb <email address hidden> Wed, 03 May 2023 09:32:59 -0700