2021-05-25 16:38:20 +08:00
|
|
|
===========================
|
|
|
|
Django 2.2.24 release notes
|
|
|
|
===========================
|
|
|
|
|
2021-06-02 16:19:19 +08:00
|
|
|
*June 2, 2021*
|
2021-05-25 16:38:20 +08:00
|
|
|
|
|
|
|
Django 2.2.24 fixes two security issues in 2.2.23.
|
|
|
|
|
2021-05-17 17:26:36 +08:00
|
|
|
CVE-2021-33203: Potential directory traversal via ``admindocs``
|
|
|
|
===============================================================
|
|
|
|
|
|
|
|
Staff members could use the :mod:`~django.contrib.admindocs`
|
|
|
|
``TemplateDetailView`` view to check the existence of arbitrary files.
|
|
|
|
Additionally, if (and only if) the default admindocs templates have been
|
|
|
|
customized by the developers to also expose the file contents, then not only
|
|
|
|
the existence but also the file contents would have been exposed.
|
|
|
|
|
|
|
|
As a mitigation, path sanitation is now applied and only files within the
|
|
|
|
template root directories can be loaded.
|