diff options
| author | Michael Manfre <mike@manfre.net> | 2022-06-29 20:39:51 -0400 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-07-01 08:48:38 +0200 |
| commit | 03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72 (patch) | |
| tree | c9ad05e93f1ce711e13e72bda616367988f453a5 /docs | |
| parent | 5c93a84f44054034f495267ff2400a5de69a4fc1 (diff) | |
Updated vendored _urlsplit() to strip newline and tabs.
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.2.txt | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/releases/4.2.txt b/docs/releases/4.2.txt index fad89ea008..34f8362be9 100644 --- a/docs/releases/4.2.txt +++ b/docs/releases/4.2.txt @@ -217,6 +217,13 @@ Utilities * The new ``encoder`` parameter for :meth:`django.utils.html.json_script` function allows customizing a JSON encoder class. +* The private internal vendored copy of ``urllib.parse.urlsplit()`` now strips + ``'\r'``, ``'\n'``, and ``'\t'`` (see :cve:`2022-0391` and :bpo:`43882`). + This is to protect projects that may be incorrectly using the internal + ``url_has_allowed_host_and_scheme()`` function, instead of using one of the + documented functions for handling URL redirects. The Django functions were + not affected. + Validators ~~~~~~~~~~ |
