django/docs/releases/2.2.21.txt

===========================
Django 2.2.21 release notes
===========================

*May 4, 2021*

Django 2.2.21 fixes a security issue in 2.2.20.

CVE-2021-31542: Potential directory-traversal via uploaded files
================================================================

``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
directory-traversal via uploaded files with suitably crafted file names.

In order to mitigate this risk, stricter basename and path sanitation is now
applied. Specifically, empty file names and paths with dot segments will be
rejected.
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-14 16:23:44 +00:00			`===========================`
			`Django 2.2.21 release notes`
			`===========================`

			`May 4, 2021`

			`Django 2.2.21 fixes a security issue in 2.2.20.`

			`CVE-2021-31542: Potential directory-traversal via uploaded files`
			`================================================================`

			``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
			`directory-traversal via uploaded files with suitably crafted file names.`

			`In order to mitigate this risk, stricter basename and path sanitation is now`
			`applied. Specifically, empty file names and paths with dot segments will be`
			`rejected.`