From 04ac1624bdc2fa737188401757cf95ced122d26d Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Wed, 14 Apr 2021 18:23:44 +0200 Subject: [2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. --- docs/releases/2.2.21.txt | 17 +++++++++++++++++ docs/releases/index.txt | 1 + 2 files changed, 18 insertions(+) create mode 100644 docs/releases/2.2.21.txt (limited to 'docs') diff --git a/docs/releases/2.2.21.txt b/docs/releases/2.2.21.txt new file mode 100644 index 0000000000..f32aeadff7 --- /dev/null +++ b/docs/releases/2.2.21.txt @@ -0,0 +1,17 @@ +=========================== +Django 2.2.21 release notes +=========================== + +*May 4, 2021* + +Django 2.2.21 fixes a security issue in 2.2.20. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 7ccec86e15..e59c97b17f 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 2.2.21 2.2.20 2.2.19 2.2.18 -- cgit v1.3