From 0ad9fa02e07b853003b3c2244d1015620705f020 Mon Sep 17 00:00:00 2001 From: Nick Pope Date: Tue, 16 Feb 2021 10:14:17 +0000 Subject: [PATCH] Refs CVE-2021-23336 -- Updated tests and release notes for affected versions. --- docs/releases/2.2.19.txt | 16 ++++++++++++++++ docs/releases/3.0.13.txt | 16 ++++++++++++++++ docs/releases/3.1.7.txt | 13 +++++++++++-- docs/releases/index.txt | 2 ++ tests/handlers/test_exception.py | 2 +- tests/requests/test_data_upload_settings.py | 6 +++--- 6 files changed, 49 insertions(+), 6 deletions(-) create mode 100644 docs/releases/2.2.19.txt create mode 100644 docs/releases/3.0.13.txt diff --git a/docs/releases/2.2.19.txt b/docs/releases/2.2.19.txt new file mode 100644 index 0000000000..feaffd996c --- /dev/null +++ b/docs/releases/2.2.19.txt @@ -0,0 +1,16 @@ +=========================== +Django 2.2.19 release notes +=========================== + +*February 19, 2021* + +Django 2.2.19 fixes a security issue in 2.2.18. + +CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()`` +================================================================================= + +Django contains a copy of :func:`urllib.parse.parse_qsl` which was added to +backport some security fixes. A further security fix has been issued recently +such that ``parse_qsl()`` no longer allows using ``;`` as a query parameter +separator by default. Django now includes this fix. See :bpo:`42967` for +further details. diff --git a/docs/releases/3.0.13.txt b/docs/releases/3.0.13.txt new file mode 100644 index 0000000000..c78b8a04fd --- /dev/null +++ b/docs/releases/3.0.13.txt @@ -0,0 +1,16 @@ +=========================== +Django 3.0.13 release notes +=========================== + +*February 19, 2021* + +Django 3.0.13 fixes a security issue in 3.0.12. + +CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()`` +================================================================================= + +Django contains a copy of :func:`urllib.parse.parse_qsl` which was added to +backport some security fixes. A further security fix has been issued recently +such that ``parse_qsl()`` no longer allows using ``;`` as a query parameter +separator by default. Django now includes this fix. See :bpo:`42967` for +further details. diff --git a/docs/releases/3.1.7.txt b/docs/releases/3.1.7.txt index 1ef16b76c7..e58fc23e80 100644 --- a/docs/releases/3.1.7.txt +++ b/docs/releases/3.1.7.txt @@ -2,9 +2,18 @@ Django 3.1.7 release notes ========================== -*Expected March 1, 2021* +*February 19, 2021* -Django 3.1.7 fixes several bugs in 3.1.6. +Django 3.1.7 fixes a security issue and a bug in 3.1.6. + +CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()`` +================================================================================= + +Django contains a copy of :func:`urllib.parse.parse_qsl` which was added to +backport some security fixes. A further security fix has been issued recently +such that ``parse_qsl()`` no longer allows using ``;`` as a query parameter +separator by default. Django now includes this fix. See :bpo:`42967` for +further details. Bugfixes ======== diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 1d56d94d0a..d48bb00a4c 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -53,6 +53,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 3.0.13 3.0.12 3.0.11 3.0.10 @@ -72,6 +73,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 2.2.19 2.2.18 2.2.17 2.2.16 diff --git a/tests/handlers/test_exception.py b/tests/handlers/test_exception.py index 7afd4acc6b..0c1e763990 100644 --- a/tests/handlers/test_exception.py +++ b/tests/handlers/test_exception.py @@ -6,7 +6,7 @@ from django.test.client import FakePayload class ExceptionHandlerTests(SimpleTestCase): def get_suspicious_environ(self): - payload = FakePayload('a=1&a=2;a=3\r\n') + payload = FakePayload('a=1&a=2&a=3\r\n') return { 'REQUEST_METHOD': 'POST', 'CONTENT_TYPE': 'application/x-www-form-urlencoded', diff --git a/tests/requests/test_data_upload_settings.py b/tests/requests/test_data_upload_settings.py index f60f1850ea..f7e7ca7aaa 100644 --- a/tests/requests/test_data_upload_settings.py +++ b/tests/requests/test_data_upload_settings.py @@ -11,7 +11,7 @@ TOO_MUCH_DATA_MSG = 'Request body exceeded settings.DATA_UPLOAD_MAX_MEMORY_SIZE. class DataUploadMaxMemorySizeFormPostTests(SimpleTestCase): def setUp(self): - payload = FakePayload('a=1&a=2;a=3\r\n') + payload = FakePayload('a=1&a=2&a=3\r\n') self.request = WSGIRequest({ 'REQUEST_METHOD': 'POST', 'CONTENT_TYPE': 'application/x-www-form-urlencoded', @@ -117,7 +117,7 @@ class DataUploadMaxNumberOfFieldsGet(SimpleTestCase): request = WSGIRequest({ 'REQUEST_METHOD': 'GET', 'wsgi.input': BytesIO(b''), - 'QUERY_STRING': 'a=1&a=2;a=3', + 'QUERY_STRING': 'a=1&a=2&a=3', }) request.GET['a'] @@ -126,7 +126,7 @@ class DataUploadMaxNumberOfFieldsGet(SimpleTestCase): request = WSGIRequest({ 'REQUEST_METHOD': 'GET', 'wsgi.input': BytesIO(b''), - 'QUERY_STRING': 'a=1&a=2;a=3', + 'QUERY_STRING': 'a=1&a=2&a=3', }) request.GET['a']