mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-09 12:19:13 +00:00
Code Issues 32 Releases Wiki Activity
django/docs/releases/3.2.15.txt
Carlton Gibson b3e4494d75 [3.2.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header. 
Thanks to Motoyasu Saburi for the report.
2022-08-03 08:48:33 +02:00

16 lines
624 B
Plaintext
Raw Permalink Blame History

===========================
Django 3.2.15 release notes
===========================
*August 3, 2022*
Django 3.2.15 fixes a security issue with severity "high" in 3.2.14.
CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse``
===================================================================================
An application may have been vulnerable to a reflected file download (RFD)
attack that sets the Content-Disposition header of a
:class:`~django.http.FileResponse` when the ``filename`` was derived from
user-supplied input. The ``filename`` is now escaped to avoid this possibility.
Reference in New Issue View Git Blame Copy Permalink