From 03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72 Mon Sep 17 00:00:00 2001 From: Michael Manfre Date: Wed, 29 Jun 2022 20:39:51 -0400 Subject: Updated vendored _urlsplit() to strip newline and tabs. Refs Python CVE-2022-0391. Django is not affected, but others who incorrectly use internal function url_has_allowed_host_and_scheme() with unsanitized input could be at risk. --- docs/releases/4.2.txt | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs') diff --git a/docs/releases/4.2.txt b/docs/releases/4.2.txt index fad89ea008..34f8362be9 100644 --- a/docs/releases/4.2.txt +++ b/docs/releases/4.2.txt @@ -217,6 +217,13 @@ Utilities * The new ``encoder`` parameter for :meth:`django.utils.html.json_script` function allows customizing a JSON encoder class. +* The private internal vendored copy of ``urllib.parse.urlsplit()`` now strips + ``'\r'``, ``'\n'``, and ``'\t'`` (see :cve:`2022-0391` and :bpo:`43882`). + This is to protect projects that may be incorrectly using the internal + ``url_has_allowed_host_and_scheme()`` function, instead of using one of the + documented functions for handling URL redirects. The Django functions were + not affected. + Validators ~~~~~~~~~~ -- cgit v1.3