Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem.

Thanks to Dennis Brinkrolf for the report.
2025-10-31 09:41:08 +00:00 · 2021-12-17 21:07:50 +01:00
parent 761f449e0d
commit 6d343d01c5
6 changed files with 42 additions and 7 deletions
--- a/docs/releases/3.2.11.txt
+++ b/docs/releases/3.2.11.txt
@@ -33,6 +33,11 @@ resolution logic, that will not call methods, nor allow indexing on
 dictionaries.

 As a reminder, all untrusted user input should be validated before use.
+CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
+====================================================================
+
+``Storage.save()`` allowed directory-traversal if directly passed suitably
+crafted file names.

 This issue has severity "low" according to the :ref:`Django security policy
 <security-disclosure>`.