Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem.

Thanks to Dennis Brinkrolf for the report.
author: Florian Apolloner <florian@apolloner.eu> 2021-12-17 21:07:50 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2022-01-04 10:04:12 +0100
commit: 6d343d01c57eb03ca1c6826318b652709e58a76e (patch)
tree: 969ef783b8400a7459eaa9a5efc4a5bcc8244b1f /docs/releases
parent: 761f449e0daf3de06b0132bd4d6dfcdeef578e26 (diff)
3 files changed, 15 insertions, 0 deletions
diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt
index 2ed9b32119..9a53c51e27 100644
--- a/docs/releases/2.2.26.txt
+++ b/docs/releases/2.2.26.txt
@@ -33,6 +33,11 @@ resolution logic, that will not call methods, nor allow indexing on
 dictionaries.
 
 As a reminder, all untrusted user input should be validated before use.
+CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
+====================================================================
+
+``Storage.save()`` allowed directory-traversal if directly passed suitably
+crafted file names.
 
 This issue has severity "low" according to the :ref:`Django security policy
 <security-disclosure>`.
diff --git a/docs/releases/3.2.11.txt b/docs/releases/3.2.11.txt
index e715ae866f..adff2d6d08 100644
--- a/docs/releases/3.2.11.txt
+++ b/docs/releases/3.2.11.txt
@@ -33,6 +33,11 @@ resolution logic, that will not call methods, nor allow indexing on
 dictionaries.
 
 As a reminder, all untrusted user input should be validated before use.
+CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
+====================================================================
+
+``Storage.save()`` allowed directory-traversal if directly passed suitably
+crafted file names.
 
 This issue has severity "low" according to the :ref:`Django security policy
 <security-disclosure>`.
diff --git a/docs/releases/4.0.1.txt b/docs/releases/4.0.1.txt
index 5335511f1e..3128d20431 100644
--- a/docs/releases/4.0.1.txt
+++ b/docs/releases/4.0.1.txt
@@ -33,6 +33,11 @@ resolution logic, that will not call methods, nor allow indexing on
 dictionaries.
 
 As a reminder, all untrusted user input should be validated before use.
+CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
+====================================================================
+
+``Storage.save()`` allowed directory-traversal if directly passed suitably
+crafted file names.
 
 This issue has severity "low" according to the :ref:`Django security policy
 <security-disclosure>`.
author	Florian Apolloner <florian@apolloner.eu>	2021-12-17 21:07:50 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2022-01-04 10:04:12 +0100
commit	6d343d01c57eb03ca1c6826318b652709e58a76e (patch)
tree	969ef783b8400a7459eaa9a5efc4a5bcc8244b1f /docs/releases
parent	761f449e0daf3de06b0132bd4d6dfcdeef578e26 (diff)