diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2022-07-27 10:27:42 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2022-08-03 08:48:33 +0200 |
| commit | b3e4494d759202a3b6bf247fd34455bf13be5b80 (patch) | |
| tree | 860b1455fd65c17ce93dfb68ad2d049a7191c21d /docs | |
| parent | cb7fbac9f8a93d730be66815620d5769aad521bc (diff) | |
[3.2.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.
Thanks to Motoyasu Saburi for the report.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/3.2.15.txt | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/docs/releases/3.2.15.txt b/docs/releases/3.2.15.txt index a7a56ae965..281444ecf2 100644 --- a/docs/releases/3.2.15.txt +++ b/docs/releases/3.2.15.txt @@ -6,4 +6,10 @@ Django 3.2.15 release notes Django 3.2.15 fixes a security issue with severity "high" in 3.2.14. -... +CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse`` +=================================================================================== + +An application may have been vulnerable to a reflected file download (RFD) +attack that sets the Content-Disposition header of a +:class:`~django.http.FileResponse` when the ``filename`` was derived from +user-supplied input. The ``filename`` is now escaped to avoid this possibility. |
