mirror of
https://github.com/django/django.git
synced 2025-10-24 14:16:09 +00:00
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
This commit is contained in:
Florian Apolloner
committed by
Carlton Gibson
Carlton Gibson
parent
8de4ca74ba
commit
0b79eb3691
17
docs/releases/2.2.21.txt
Normal file
17
docs/releases/2.2.21.txt
Normal file
@@ -0,0 +1,17 @@
|
||||
===========================
|
||||
Django 2.2.21 release notes
|
||||
===========================
|
||||
|
||||
*May 4, 2021*
|
||||
|
||||
Django 2.2.21 fixes a security issue in 2.2.20.
|
||||
|
||||
CVE-2021-31542: Potential directory-traversal via uploaded files
|
||||
================================================================
|
||||
|
||||
``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
|
||||
directory-traversal via uploaded files with suitably crafted file names.
|
||||
|
||||
In order to mitigate this risk, stricter basename and path sanitation is now
|
||||
applied. Specifically, empty file names and paths with dot segments will be
|
||||
rejected.
|
||||
17
docs/releases/3.1.9.txt
Normal file
17
docs/releases/3.1.9.txt
Normal file
@@ -0,0 +1,17 @@
|
||||
==========================
|
||||
Django 3.1.9 release notes
|
||||
==========================
|
||||
|
||||
*May 4, 2021*
|
||||
|
||||
Django 3.1.9 fixes a security issue in 3.1.8.
|
||||
|
||||
CVE-2021-31542: Potential directory-traversal via uploaded files
|
||||
================================================================
|
||||
|
||||
``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
|
||||
directory-traversal via uploaded files with suitably crafted file names.
|
||||
|
||||
In order to mitigate this risk, stricter basename and path sanitation is now
|
||||
applied. Specifically, empty file names and paths with dot segments will be
|
||||
rejected.
|
||||
@@ -2,9 +2,19 @@
|
||||
Django 3.2.1 release notes
|
||||
==========================
|
||||
|
||||
*Expected May 4, 2021*
|
||||
*May 4, 2021*
|
||||
|
||||
Django 3.2.1 fixes several bugs in 3.2.
|
||||
Django 3.2.1 fixes a security issue and several bugs in 3.2.
|
||||
|
||||
CVE-2021-31542: Potential directory-traversal via uploaded files
|
||||
================================================================
|
||||
|
||||
``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
|
||||
directory-traversal via uploaded files with suitably crafted file names.
|
||||
|
||||
In order to mitigate this risk, stricter basename and path sanitation is now
|
||||
applied. Specifically, empty file names and paths with dot segments will be
|
||||
rejected.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
||||
@@ -40,6 +40,7 @@ versions of the documentation contain the release notes for any later releases.
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
3.1.9
|
||||
3.1.8
|
||||
3.1.7
|
||||
3.1.6
|
||||
@@ -76,6 +77,7 @@ versions of the documentation contain the release notes for any later releases.
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
2.2.21
|
||||
2.2.20
|
||||
2.2.19
|
||||
2.2.18
|
||||
|
||||
Reference in New Issue
Block a user