diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-09-16 17:13:36 +0200 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2025-10-01 08:12:07 -0400 |
| commit | 924a0c092e65fa2d0953fd1855d2dc8786d94de2 (patch) | |
| tree | 101a0c0e0e28a471c92fa19c8890d7f200a0b8fd /docs/releases/5.2.7.txt | |
| parent | 41b43c74bda19753c757036673ea9db74acf494a (diff) | |
Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract().
Thanks stackered for the report.
Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23.
Diffstat (limited to 'docs/releases/5.2.7.txt')
| -rw-r--r-- | docs/releases/5.2.7.txt | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/5.2.7.txt b/docs/releases/5.2.7.txt index 05d03a991e..b8c27d1de2 100644 --- a/docs/releases/5.2.7.txt +++ b/docs/releases/5.2.7.txt @@ -17,6 +17,14 @@ to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to :cve:`2022-28346`). +CVE-2025-59682: Potential partial directory-traversal via ``archive.extract()`` +=============================================================================== + +The ``django.utils.archive.extract()`` function, used by +:option:`startapp --template` and :option:`startproject --template`, allowed +partial directory-traversal via an archive with file paths sharing a common +prefix with the target directory (follow up to :cve:`2021-3281`). + Bugfixes ======== |
