Re: [django-announce] Django security releases issued: 3.2.1, 3.1.9 and 2.2.21

Fri, 07 May 2021 04:56:18 -0700 

Hi all,

We took an defense-in-depth approach which seemed fined with our test suite. 
But it turns out, there are cases that weren't covered by tests which caused a 
regression in a few specific cases. This is tracked in 
https://code.djangoproject.com/ticket/32718

Cheers,

Markus

On Fri, May 7, 2021, at 1:22 PM, Ned Batchelder wrote:
> It seems to me that the release note for 2.2.21 is incomplete.  It 
> says, "Specifically, empty file names and paths with dot segments will 
> be
> rejected."  
> 
> But it's stricter than that: any path component causes the path to be 
> rejected:
> 
> > if name != os.path.basename(name):
> >         raise SuspiciousFileOperation("File name '%s' includes path 
> > elements" % name)
> 
> Is this level of strictness necessary?
> 
> --Ned.
> 
> On 5/4/21 4:54 AM, Carlton Gibson wrote:
> > Details are available on the Django project weblog:
> > 
> > https://www.djangoproject.com/weblog/2021/may/04/security-releases/
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "django-announce" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to [email protected].
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/django-announce/2B8F47F5-20C4-477B-81F4-DEA23A178294%40gmail.com
> >  
> > <https://groups.google.com/d/msgid/django-announce/2B8F47F5-20C4-477B-81F4-DEA23A178294%40gmail.com?utm_medium=email&utm_source=footer>.
> 
> -- 
> You received this message because you are subscribed to the Google 
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to [email protected].
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-users/1a9cca6d-de29-f0f6-f787-82f3894a63fe%40nedbatchelder.com
>  
> <https://groups.google.com/d/msgid/django-users/1a9cca6d-de29-f0f6-f787-82f3894a63fe%40nedbatchelder.com?utm_medium=email&utm_source=footer>.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/83a199e1-c67f-44b1-abc0-4b323e229ac4%40www.fastmail.com.

Reply via email to