chango.git, branch 2.2.22

chango.git, branch 2.2.22 django http://cgit.adnoto.dev/chango.git/atom?h=2.2.22 2021-05-06T07:08:28Z [2.2.x] Bumped version for 2.2.22 release. 2021-05-06T07:08:28Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-05-06T07:08:28Z urn:sha1:df9fd4661e203d41c189054d8b23d256815e14fc [2.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+. 2021-05-06T06:53:27Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-05-04T18:50:12Z urn:sha1:d9594c4ea57b6309d93879805302cec9ae9f23ff In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main. [2.2.x] Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows. 2021-05-06T05:44:15Z Carlton Gibson carlton.gibson@noumenal.es 2021-05-04T12:44:19Z urn:sha1:163700388cda2305c8dbcdb3ac1542a442f3e955 The validate_file_name() sanitation introduced in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 correctly rejects the example file name as containing path elements on Windows. This breaks the test introduced in 914c72be2abb1c6dd860cb9279beaa66409ae1b2 to allow path components for storages that may allow them. Test is skipped pending a discussed storage refactoring to support this use-case. Backport of a708f39ce67af174df90c5b5e50ad1976cec7cb8 from main [2.2.x] Added CVE-2021-31542 to security archive. 2021-05-04T09:14:17Z Carlton Gibson carlton.gibson@noumenal.es 2021-05-04T09:14:17Z urn:sha1:bcafd9ba848d736769870b4fc940b2ebbf87a70a Backport of 607ebbfba915de2d84eb943aa93654f31817a709 and 62b2e8b37e37a313c63be40e3223ca4e830ebde3 from main [2.2.x] Post-release version bump. 2021-05-04T08:24:07Z Carlton Gibson carlton.gibson@noumenal.es 2021-05-04T08:24:07Z urn:sha1:3931dc765177b2793fe806b4a02122b1a718b1c3 [2.2.x] Bumped version for 2.2.21 release. 2021-05-04T08:18:53Z Carlton Gibson carlton.gibson@noumenal.es 2021-05-04T08:18:53Z urn:sha1:ff1385ae45d267f455b1744fb39a9ab5de688d05 [2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-27T17:10:08Z Florian Apolloner florian@apolloner.eu 2021-04-14T16:23:44Z urn:sha1:04ac1624bdc2fa737188401757cf95ced122d26d [2.2.x] Added CVE-2021-28658 to security archive. 2021-04-06T07:48:05Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-04-06T07:42:31Z urn:sha1:7f1b088ab4a4342a87a11496096471703994a006 Backport of 1eac8468cbde790fecb51dd055a439f4947d01e9 from main [2.2.x] Post-release version bump. 2021-04-06T06:45:22Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-04-06T06:45:22Z urn:sha1:e95fbb6a7653a5f199d5d8c90a282cdf9e58fc22 [2.2.x] Bumped version for 2.2.20 release. 2021-04-06T06:39:37Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-04-06T06:39:37Z urn:sha1:ad9fa56a17bf9691615e9bb6e41d08d51cfe8a5d