summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2021-04-14 18:23:44 +0200
committerCarlton Gibson <carlton.gibson@noumenal.es>2021-04-27 19:10:08 +0200
commit04ac1624bdc2fa737188401757cf95ced122d26d (patch)
treec972b0d7a4fd9ee7a94661a708c3964a1fd7192b /docs
parent7f1b088ab4a4342a87a11496096471703994a006 (diff)
[2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/2.2.21.txt17
-rw-r--r--docs/releases/index.txt1
2 files changed, 18 insertions, 0 deletions
diff --git a/docs/releases/2.2.21.txt b/docs/releases/2.2.21.txt
new file mode 100644
index 0000000000..f32aeadff7
--- /dev/null
+++ b/docs/releases/2.2.21.txt
@@ -0,0 +1,17 @@
+===========================
+Django 2.2.21 release notes
+===========================
+
+*May 4, 2021*
+
+Django 2.2.21 fixes a security issue in 2.2.20.
+
+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 7ccec86e15..e59c97b17f 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 2.2.21
2.2.20
2.2.19
2.2.18