Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.

author: Florian Apolloner <florian@apolloner.eu> 2021-04-14 18:23:44 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2021-05-04 08:44:42 +0200
commit: 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
tree: ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /docs/releases/3.2.1.txt
parent: 8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/docs/releases/3.2.1.txt b/docs/releases/3.2.1.txt
index 545c9adce3..97ac4ebc94 100644
--- a/docs/releases/3.2.1.txt
+++ b/docs/releases/3.2.1.txt
@@ -2,9 +2,19 @@
 Django 3.2.1 release notes
 ==========================
 
-*Expected May 4, 2021*
+*May 4, 2021*
 
-Django 3.2.1 fixes several bugs in 3.2.
+Django 3.2.1 fixes a security issue and several bugs in 3.2.
+
+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.
 
 Bugfixes
 ========
author	Florian Apolloner <florian@apolloner.eu>	2021-04-14 18:23:44 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2021-05-04 08:44:42 +0200
commit	0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
tree	ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /docs/releases/3.2.1.txt
parent	8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)