From bd062445cffd3f6cc6dcd20d13e2abed818fa173 Mon Sep 17 00:00:00 2001 From: Carlton Gibson Date: Wed, 20 Jul 2022 12:14:45 +0200 Subject: Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header. Thanks to Motoyasu Saburi for the report. --- docs/releases/3.2.15.txt | 8 +++++++- docs/releases/4.0.7.txt | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/releases/3.2.15.txt b/docs/releases/3.2.15.txt index a7a56ae965..281444ecf2 100644 --- a/docs/releases/3.2.15.txt +++ b/docs/releases/3.2.15.txt @@ -6,4 +6,10 @@ Django 3.2.15 release notes Django 3.2.15 fixes a security issue with severity "high" in 3.2.14. -... +CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse`` +=================================================================================== + +An application may have been vulnerable to a reflected file download (RFD) +attack that sets the Content-Disposition header of a +:class:`~django.http.FileResponse` when the ``filename`` was derived from +user-supplied input. The ``filename`` is now escaped to avoid this possibility. diff --git a/docs/releases/4.0.7.txt b/docs/releases/4.0.7.txt index 919f3520de..7fb8555077 100644 --- a/docs/releases/4.0.7.txt +++ b/docs/releases/4.0.7.txt @@ -6,4 +6,10 @@ Django 4.0.7 release notes Django 4.0.7 fixes a security issue with severity "high" in 4.0.6. -... +CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse`` +=================================================================================== + +An application may have been vulnerable to a reflected file download (RFD) +attack that sets the Content-Disposition header of a +:class:`~django.http.FileResponse` when the ``filename`` was derived from +user-supplied input. The ``filename`` is now escaped to avoid this possibility. -- cgit v1.3