mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Browse Source 
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.
This commit is contained in:
Florian Apolloner
2021-11-29 11:52:03 +01:00
committed by Mariusz Felisiak
parent 628b6a6869
commit d4dcd5b9dd
5 changed files with 36 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/releases/2.2.25.txt
View File

@@ -6,4 +6,8 @@ Django 2.2.25 release notes
Django 2.2.25 fixes a security issue with severity "low" in 2.2.24.
...
CVE-2021-44420: Potential bypass of an upstream access control based on URL paths
=================================================================================
HTTP requests for URLs with trailing newlines could bypass an upstream access
control based on URL paths.

6
docs/releases/3.1.14.txt
View File

@@ -6,4 +6,8 @@ Django 3.1.14 release notes
Django 3.1.14 fixes a security issue with severity "low" in 3.1.13.
...
CVE-2021-44420: Potential bypass of an upstream access control based on URL paths
=================================================================================
HTTP requests for URLs with trailing newlines could bypass an upstream access
control based on URL paths.

9
docs/releases/3.2.10.txt
View File

@@ -4,8 +4,13 @@ Django 3.2.10 release notes
*December 7, 2021*
Django 3.2.10 fixes a security issue with severity "low" and several bugs in
3.2.9.
Django 3.2.10 fixes a security issue with severity "low" and a bug in 3.2.9.
CVE-2021-44420: Potential bypass of an upstream access control based on URL paths
=================================================================================
HTTP requests for URLs with trailing newlines could bypass an upstream access
control based on URL paths.
Bugfixes
========