Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.

Thanks to Motoyasu Saburi for the report.
2025-11-07 07:15:35 +00:00 · 2022-07-20 12:14:45 +02:00
parent 9062c23de8
commit bd062445cf
4 changed files with 52 additions and 3 deletions
--- a/docs/releases/4.0.7.txt
+++ b/docs/releases/4.0.7.txt
@@ -6,4 +6,10 @@ Django 4.0.7 release notes

 Django 4.0.7 fixes a security issue with severity "high" in 4.0.6.

-...
+CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse``
+===================================================================================
+
+An application may have been vulnerable to a reflected file download (RFD)
+attack that sets the Content-Disposition header of a
+:class:`~django.http.FileResponse` when the ``filename`` was derived from
+user-supplied input. The ``filename`` is now escaped to avoid this possibility.