django/docs/releases/4.0.7.txt

==========================
Django 4.0.7 release notes
==========================

*August 3, 2022*

Django 4.0.7 fixes a security issue with severity "high" in 4.0.6.

CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse``
===================================================================================

An application may have been vulnerable to a reflected file download (RFD)
attack that sets the Content-Disposition header of a
:class:`~django.http.FileResponse` when the ``filename`` was derived from
user-supplied input. The ``filename`` is now escaped to avoid this possibility.
Added stub release notes for 4.0.7. 2022-07-04 08:05:55 +00:00			`==========================`
			`Django 4.0.7 release notes`
			`==========================`

Adjusted release notes for 4.0.7 and 3.2.15. 2022-07-27 08:03:06 +00:00			`August 3, 2022`
Added stub release notes for 4.0.7. 2022-07-04 08:05:55 +00:00
Adjusted version 4.0.7 release notes. 2022-08-03 06:36:32 +00:00			`Django 4.0.7 fixes a security issue with severity "high" in 4.0.6.`
Added stub release notes for 4.0.7. 2022-07-04 08:05:55 +00:00
Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header. Thanks to Motoyasu Saburi for the report. 2022-07-20 10:14:45 +00:00			CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse``
			`===================================================================================`

			`An application may have been vulnerable to a reflected file download (RFD)`
			`attack that sets the Content-Disposition header of a`
			:class:`~django.http.FileResponse` when the ``filename`` was derived from
			user-supplied input. The ``filename`` is now escaped to avoid this possibility.