[4.0.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.

Thanks to Motoyasu Saburi for the report.
author: Carlton Gibson <carlton.gibson@noumenal.es> 2022-07-27 10:27:42 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2022-08-03 08:48:00 +0200
commit: b7d9529cbe0af4adabb6ea5d01ed8dcce3668fb3 (patch)
tree: 4aa0035fdcf98341989045b21967255e35be9070 /docs/releases/3.2.15.txt
parent: 2eb7dedd8f40f911d581d4e7619c046cefe203ce (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/docs/releases/3.2.15.txt b/docs/releases/3.2.15.txt
index a7a56ae965..281444ecf2 100644
--- a/docs/releases/3.2.15.txt
+++ b/docs/releases/3.2.15.txt
@@ -6,4 +6,10 @@ Django 3.2.15 release notes
 
 Django 3.2.15 fixes a security issue with severity "high" in 3.2.14.
 
-...
+CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse``
+===================================================================================
+
+An application may have been vulnerable to a reflected file download (RFD)
+attack that sets the Content-Disposition header of a
+:class:`~django.http.FileResponse` when the ``filename`` was derived from
+user-supplied input. The ``filename`` is now escaped to avoid this possibility.
author	Carlton Gibson <carlton.gibson@noumenal.es>	2022-07-27 10:27:42 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2022-08-03 08:48:00 +0200
commit	b7d9529cbe0af4adabb6ea5d01ed8dcce3668fb3 (patch)
tree	4aa0035fdcf98341989045b21967255e35be9070 /docs/releases/3.2.15.txt
parent	2eb7dedd8f40f911d581d4e7619c046cefe203ce (diff)