Django security releases issued: 3.2.1, 3.1.9 and 2.2.21
27 views
Skip to first unread message
Carlton Gibson
May 4, 2021, 4:55:59 AM5/4/21
to django-...@googlegroups.com, Django developers (Contributions to Django itself), django...@googlegroups.com
Details are available on the Django project weblog:
Ned Batchelder
May 7, 2021, 7:23:53 AM5/7/21
to Django developers (Contributions to Django itself), django...@googlegroups.com
It seems to me that the release note for 2.2.21 is incomplete.
It says, "Specifically, empty file names and paths with dot
segments will be
rejected."
But it's stricter than that: any path component causes the path
to be rejected:
> if name != os.path.basename(name):
> raise SuspiciousFileOperation("File name '%s'
includes path elements" % name)
Is this level of strictness necessary?
--Ned.
On 5/4/21 4:54 AM, Carlton Gibson
wrote:
Details are available on the Django project weblog:
--
You received this message because you are subscribed to the Google Groups "django-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-announ...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-announce/2B8F47F5-20C4-477B-81F4-DEA23A178294%40gmail.com.
Markus Holtermann
May 7, 2021, 7:56:56 AM5/7/21
to Django Users
Hi all,
We took an defense-in-depth approach which seemed fined with our test suite. But it turns out, there are cases that weren't covered by tests which caused a regression in a few specific cases. This is tracked in https://code.djangoproject.com/ticket/32718
Cheers,
Markus
> > To view this discussion on the web visit https://groups.google.com/d/msgid/django-announce/2B8F47F5-20C4-477B-81F4-DEA23A178294%40gmail.com <https://groups.google.com/d/msgid/django-announce/2B8F47F5-20C4-477B-81F4-DEA23A178294%40gmail.com?utm_medium=email&utm_source=footer>.
We took an defense-in-depth approach which seemed fined with our test suite. But it turns out, there are cases that weren't covered by tests which caused a regression in a few specific cases. This is tracked in https://code.djangoproject.com/ticket/32718
Cheers,
Markus
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> --
> You received this message because you are subscribed to the Google
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/1a9cca6d-de29-f0f6-f787-82f3894a63fe%40nedbatchelder.com <https://groups.google.com/d/msgid/django-users/1a9cca6d-de29-f0f6-f787-82f3894a63fe%40nedbatchelder.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages