1
0
mirror of https://github.com/django/django.git synced 2025-07-09 20:29:12 +00:00

3 Commits

Author SHA1 Message Date
Mariusz Felisiak
2d2c1d0c97 [3.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+.
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.

[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603

Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
2021-05-06 08:48:22 +02:00
Simon Charette
364098fdac [3.2.x] Fixed #32714 -- Prevented recreation of migration for Meta.ordering with OrderBy expressions.
Regression in c8b659430556dca0b2fe27cf2ea0f8290dbafecd.

Thanks Kevin Marsh for the report.

Backport of 96f55ccf798c7592a1203f798a4dffaf173a9263 from main
2021-05-05 08:44:37 +02:00
Carlton Gibson
04d8ed3660 [3.2.x] Added stub release notes for Django 3.2.2.
Backport of 5a43cfe24533591a020ba4e730440bad81c478db from main
2021-05-04 11:02:11 +02:00