diff options
Diffstat (limited to 'docs/releases/3.1.10.txt')
-rw-r--r-- | docs/releases/3.1.10.txt | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/docs/releases/3.1.10.txt b/docs/releases/3.1.10.txt new file mode 100644 index 0000000000..e9a8fcc2d8 --- /dev/null +++ b/docs/releases/3.1.10.txt @@ -0,0 +1,22 @@ +=========================== +Django 3.1.10 release notes +=========================== + +*May 6, 2021* + +Django 3.1.10 fixes a security issue in 3.1.9. + +CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+ +=============================================================================================================== + +On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit +newlines and tabs. If you used values with newlines in HTTP response, you could +suffer from header injection attacks. Django itself wasn't vulnerable because +:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers. + +Moreover, the ``URLField`` form field which uses ``URLValidator`` silently +removes newlines and tabs on Python 3.9.5+, so the possibility of newlines +entering your data only existed if you are using this validator outside of the +form fields. + +This issue was introduced by the :bpo:`43882` fix. |