blob: af8ccec5357bf20a4c1f74492003eabd8113c90f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
===========================
Django 3.1.13 release notes
===========================
*July 1, 2021*
Django 3.1.13 fixes a security issues with severity "high" in 3.1.12.
CVE-2021-35042: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input
=====================================================================================
Unsanitized user input passed to ``QuerySet.order_by()`` could bypass intended
column reference validation in path marked for deprecation resulting in a
potential SQL injection even if a deprecation warning is emitted.
As a mitigation the strict column reference validation was restored for the
duration of the deprecation period. This regression appeared in 3.1 as a side
effect of fixing :ticket:`31426`.
The issue is not present in the main branch as the deprecated path has been
removed.
|