diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2021-04-14 18:23:44 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-04-27 19:10:08 +0200 |
| commit | 04ac1624bdc2fa737188401757cf95ced122d26d (patch) | |
| tree | c972b0d7a4fd9ee7a94661a708c3964a1fd7192b /docs | |
| parent | 7f1b088ab4a4342a87a11496096471703994a006 (diff) | |
[2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/2.2.21.txt | 17 | ||||
| -rw-r--r-- | docs/releases/index.txt | 1 |
2 files changed, 18 insertions, 0 deletions
diff --git a/docs/releases/2.2.21.txt b/docs/releases/2.2.21.txt new file mode 100644 index 0000000000..f32aeadff7 --- /dev/null +++ b/docs/releases/2.2.21.txt @@ -0,0 +1,17 @@ +=========================== +Django 2.2.21 release notes +=========================== + +*May 4, 2021* + +Django 2.2.21 fixes a security issue in 2.2.20. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 7ccec86e15..e59c97b17f 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 2.2.21 2.2.20 2.2.19 2.2.18 |
