django.git, branch 3.1.11

django.git, branch 3.1.11 django http://cgit.adnoto.dev/django.git/atom?h=3.1.11 2021-05-13T07:16:23Z [3.1.x] Bumped version for 3.1.11 release. 2021-05-13T07:16:23Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-05-13T07:16:23Z urn:sha1:6efdf1b7e9425c186f5ae1c5dd9a11629131fcbe [3.1.x] Fixed #32718 -- Relaxed file name validation in FileField. 2021-05-13T06:56:06Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-05-13T06:53:44Z urn:sha1:b7d4a6fa650f97982cf9ca246ddfa623d685487b - Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main. [3.1.x] Refs #32718 -- Corrected CVE-2021-31542 release notes. 2021-05-12T08:43:12Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-05-12T08:42:01Z urn:sha1:9fb9944d1cddf84335c2ab6cfa3d7c2672541ab6 Backport of d1f1417caed648db2f81a1ec28c47bf958c01958 from main. [3.1.x] Added CVE-2021-32052 to security archive. 2021-05-06T08:04:52Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-05-06T07:58:24Z urn:sha1:068887450479e035247d410863de662687cee2dc Backport of efebcc429f048493d6bc710399e65d98081eafd5 from main [3.1.x] Post-release version bump. 2021-05-06T07:06:53Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-05-06T07:06:53Z urn:sha1:020bb45b03c921d3bf3283d6daee52c4e6bdc002 [3.1.x] Bumped version for 3.1.10 release. 2021-05-06T07:04:41Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-05-06T07:04:41Z urn:sha1:a2407cd67bd98cc2de4ed7784eb6beee67b3898f [3.1.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+. 2021-05-06T06:50:52Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-05-04T18:50:12Z urn:sha1:afb23f5929944a407e4990edef1c7806a94c9879 In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main. [3.1.x] Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows. 2021-05-06T05:42:45Z Carlton Gibson carlton.gibson@noumenal.es 2021-05-04T12:44:19Z urn:sha1:fdbf4a7c1653f1e9842816ac352a3e43659e09be The validate_file_name() sanitation introduced in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 correctly rejects the example file name as containing path elements on Windows. This breaks the test introduced in 914c72be2abb1c6dd860cb9279beaa66409ae1b2 to allow path components for storages that may allow them. Test is skipped pending a discussed storage refactoring to support this use-case. Backport of a708f39ce67af174df90c5b5e50ad1976cec7cb8 from main [3.1.x] Added CVE-2021-31542 to security archive. 2021-05-04T09:13:11Z Carlton Gibson carlton.gibson@noumenal.es 2021-05-04T09:13:11Z urn:sha1:48b39a8e9996ed1819254dda9d771125a0200adf Backport of 607ebbfba915de2d84eb943aa93654f31817a709 and 62b2e8b37e37a313c63be40e3223ca4e830ebde3 from main [3.1.x] Post-release version bump. 2021-05-04T08:32:07Z Carlton Gibson carlton.gibson@noumenal.es 2021-05-04T08:32:07Z urn:sha1:80124410faa08debc1ca5f075fc163eb36cc4d50