It seems to me that the release note for 2.2.21 is incomplete. It says,
"Specifically, empty file names and paths with dot segments will be
rejected."
But it's stricter than that: any path component causes the path to be
rejected:
> if name != os.path.basename(name):
> raise SuspiciousFileOperation("File name '%s' includes path
elements" % name)
Is this level of strictness necessary?
--Ned.
On 5/4/21 4:54 AM, Carlton Gibson wrote:
Details are available on the Django project weblog:
https://www.djangoproject.com/weblog/2021/may/04/security-releases/
<https://www.djangoproject.com/weblog/2021/may/04/security-releases/>
--
You received this message because you are subscribed to the Google
Groups "django-announce" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-announce/2B8F47F5-20C4-477B-81F4-DEA23A178294%40gmail.com
<https://groups.google.com/d/msgid/django-announce/2B8F47F5-20C4-477B-81F4-DEA23A178294%40gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/1a9cca6d-de29-f0f6-f787-82f3894a63fe%40nedbatchelder.com.
