Skip to content

Update django to 2.2.23#221

Closed
pyup-bot wants to merge 1 commit intomasterfrom
pyup-update-django-2.2.19-to-2.2.23
Closed

Update django to 2.2.23#221
pyup-bot wants to merge 1 commit intomasterfrom
pyup-update-django-2.2.19-to-2.2.23

Conversation

@pyup-bot
Copy link
Copy Markdown
Contributor

@pyup-bot pyup-bot commented May 13, 2021

This PR updates Django from 2.2.19 to 2.2.23.

Changelog

2.2.23

===========================

*May 13, 2021*

Django 2.2.23 fixes a regression in 2.2.21.

Bugfixes
========

* Fixed a regression in Django 2.2.21 where saving ``FileField`` would raise a
``SuspiciousFileOperation`` even when a custom
:attr:`~django.db.models.FileField.upload_to` returns a valid file path
(:ticket:`32718`).


===========================

2.2.22

===========================

*May 6, 2021*

Django 2.2.22 fixes a security issue in 2.2.21.

CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
===============================================================================================================

On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit
newlines and tabs. If you used values with newlines in HTTP response, you could
suffer from header injection attacks. Django itself wasn't vulnerable because
:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.

Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
entering your data only existed if you are using this validator outside of the
form fields.

This issue was introduced by the :bpo:`43882` fix.


===========================

2.2.21

===========================

*May 4, 2021*

Django 2.2.21 fixes a security issue in 2.2.20.

CVE-2021-31542: Potential directory-traversal via uploaded files
================================================================

``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
directory-traversal via uploaded files with suitably crafted file names.

In order to mitigate this risk, stricter basename and path sanitation is now
applied.


===========================

2.2.20

===========================

*April 6, 2021*

Django 2.2.20 fixes a security issue with severity "low" in 2.2.19.

CVE-2021-28658: Potential directory-traversal via uploaded files
================================================================

``MultiPartParser`` allowed directory-traversal via uploaded files with
suitably crafted file names.

Built-in upload handlers were not affected by this vulnerability.


===========================
Links

@pyup-bot pyup-bot mentioned this pull request May 13, 2021
Closed
@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2021
edited
Loading

Codecov Report

Merging #221 (cc3894f) into master (a2f0d23) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #221   +/-   ##
=======================================
  Coverage   98.06%   98.06%           
=======================================
  Files          27       27           
  Lines        1293     1293           
=======================================
  Hits         1268     1268           
  Misses         25       25

@pyup-bot
Copy link
Copy Markdown
Contributor Author

pyup-bot commented Jun 2, 2021

Closing this in favor of #222

@pyup-bot pyup-bot closed this Jun 2, 2021
@jraddaoui jraddaoui deleted the pyup-update-django-2.2.19-to-2.2.23 branch June 2, 2021 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pyup-bot