2021-07-01 12:52:41 +08:00
|
|
|
===========================
|
|
|
|
Django 3.1.13 release notes
|
|
|
|
===========================
|
|
|
|
|
|
|
|
*July 1, 2021*
|
|
|
|
|
|
|
|
Django 3.1.13 fixes a security issues with severity "high" in 3.1.12.
|
|
|
|
|
2021-06-18 13:16:10 +08:00
|
|
|
CVE-2021-35042: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input
|
|
|
|
=====================================================================================
|
|
|
|
|
|
|
|
Unsanitized user input passed to ``QuerySet.order_by()`` could bypass intended
|
|
|
|
column reference validation in path marked for deprecation resulting in a
|
|
|
|
potential SQL injection even if a deprecation warning is emitted.
|
|
|
|
|
|
|
|
As a mitigation the strict column reference validation was restored for the
|
|
|
|
duration of the deprecation period. This regression appeared in 3.1 as a side
|
|
|
|
effect of fixing :ticket:`31426`.
|
|
|
|
|
|
|
|
The issue is not present in the main branch as the deprecated path has been
|
|
|
|
removed.
|