mirror of
https://github.com/django/django.git
synced 2024-11-25 07:59:34 +01:00
20 lines
746 B
Plaintext
20 lines
746 B
Plaintext
===========================
|
|
Django 3.1.12 release notes
|
|
===========================
|
|
|
|
*June 2, 2021*
|
|
|
|
Django 3.1.12 fixes two security issues in 3.1.11.
|
|
|
|
CVE-2021-33203: Potential directory traversal via ``admindocs``
|
|
===============================================================
|
|
|
|
Staff members could use the :mod:`~django.contrib.admindocs`
|
|
``TemplateDetailView`` view to check the existence of arbitrary files.
|
|
Additionally, if (and only if) the default admindocs templates have been
|
|
customized by the developers to also expose the file contents, then not only
|
|
the existence but also the file contents would have been exposed.
|
|
|
|
As a mitigation, path sanitation is now applied and only files within the
|
|
template root directories can be loaded.
|