summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorCarlton Gibson <carlton.gibson@noumenal.es>2022-07-20 12:14:45 +0200
committerCarlton Gibson <carlton.gibson@noumenal.es>2022-08-03 08:46:31 +0200
commitbd062445cffd3f6cc6dcd20d13e2abed818fa173 (patch)
treee3a150ec5176cb0adff541b1a78cb200ef87428e /docs
parent9062c23de80e999009cbe4100d83e90dd0463612 (diff)
Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.
Thanks to Motoyasu Saburi for the report.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/3.2.15.txt8
-rw-r--r--docs/releases/4.0.7.txt8
2 files changed, 14 insertions, 2 deletions
diff --git a/docs/releases/3.2.15.txt b/docs/releases/3.2.15.txt
index a7a56ae965..281444ecf2 100644
--- a/docs/releases/3.2.15.txt
+++ b/docs/releases/3.2.15.txt
@@ -6,4 +6,10 @@ Django 3.2.15 release notes
Django 3.2.15 fixes a security issue with severity "high" in 3.2.14.
-...
+CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse``
+===================================================================================
+
+An application may have been vulnerable to a reflected file download (RFD)
+attack that sets the Content-Disposition header of a
+:class:`~django.http.FileResponse` when the ``filename`` was derived from
+user-supplied input. The ``filename`` is now escaped to avoid this possibility.
diff --git a/docs/releases/4.0.7.txt b/docs/releases/4.0.7.txt
index 919f3520de..7fb8555077 100644
--- a/docs/releases/4.0.7.txt
+++ b/docs/releases/4.0.7.txt
@@ -6,4 +6,10 @@ Django 4.0.7 release notes
Django 4.0.7 fixes a security issue with severity "high" in 4.0.6.
-...
+CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse``
+===================================================================================
+
+An application may have been vulnerable to a reflected file download (RFD)
+attack that sets the Content-Disposition header of a
+:class:`~django.http.FileResponse` when the ``filename`` was derived from
+user-supplied input. The ``filename`` is now escaped to avoid this possibility.