summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMichael Manfre <mike@manfre.net>2022-06-29 20:39:51 -0400
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2022-07-01 08:48:38 +0200
commit03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72 (patch)
treec9ad05e93f1ce711e13e72bda616367988f453a5 /docs
parent5c93a84f44054034f495267ff2400a5de69a4fc1 (diff)
Updated vendored _urlsplit() to strip newline and tabs.
Refs Python CVE-2022-0391. Django is not affected, but others who incorrectly use internal function url_has_allowed_host_and_scheme() with unsanitized input could be at risk.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/4.2.txt7
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/releases/4.2.txt b/docs/releases/4.2.txt
index fad89ea008..34f8362be9 100644
--- a/docs/releases/4.2.txt
+++ b/docs/releases/4.2.txt
@@ -217,6 +217,13 @@ Utilities
* The new ``encoder`` parameter for :meth:`django.utils.html.json_script`
function allows customizing a JSON encoder class.
+* The private internal vendored copy of ``urllib.parse.urlsplit()`` now strips
+ ``'\r'``, ``'\n'``, and ``'\t'`` (see :cve:`2022-0391` and :bpo:`43882`).
+ This is to protect projects that may be incorrectly using the internal
+ ``url_has_allowed_host_and_scheme()`` function, instead of using one of the
+ documented functions for handling URL redirects. The Django functions were
+ not affected.
+
Validators
~~~~~~~~~~