mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract().

Browse Source 
Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.

Thanks Wang Baohua for the report.
This commit is contained in:
Mariusz Felisiak
2021-01-22 12:23:18 +01:00
parent 6822aa5c6c
commit 05413afa8c
10 changed files with 77 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/releases/2.2.18.txt Normal file
View File

@@ -0,0 +1,15 @@
===========================
Django 2.2.18 release notes
===========================
*February 1, 2021*
Django 2.2.18 fixes a security issue with severity "low" in 2.2.17.
CVE-2021-3281: Potential directory-traversal via ``archive.extract()``
======================================================================
The ``django.utils.archive.extract()`` function, used by
:option:`startapp --template` and :option:`startproject --template`, allowed
directory-traversal via an archive with absolute paths or relative paths with
dot segments.