codecov[bot]
commented
2 years ago Codecov Report
Merging #4706 (1cf9792) into master (31546df) will not change coverage. The diff coverage is
n/a.
@@ Coverage Diff @@
## master #4706 +/- ##
=======================================
Coverage 92.35% 92.35%
=======================================
Files 238 238
Lines 6739 6739
=======================================
Hits 6224 6224
Misses 515 515 Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
pyup-bot
This PR updates django from 4.0.5 to 4.0.7.
Changelog
### 4.0.7 ``` ========================== *August 3, 2022* Django 4.0.7 fixes a security issue with severity "high" in 4.0.6. CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse`` =================================================================================== An application may have been vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a :class:`~django.http.FileResponse` when the ``filename`` was derived from user-supplied input. The ``filename`` is now escaped to avoid this possibility. ========================== ``` ### 4.0.6 ``` ========================== *July 4, 2022* Django 4.0.6 fixes a security issue with severity "high" in 4.0.5. CVE-2022-34265: Potential SQL injection via ``Trunc(kind)`` and ``Extract(lookup_name)`` arguments ================================================================================================== :class:`Trunc() <django.db.models.functions.Trunc>` and :class:`Extract() <django.db.models.functions.Extract>` database functions were subject to SQL injection if untrusted data was used as a ``kind``/``lookup_name`` value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. ========================== ```Links
- PyPI: https://pypi.org/project/django - Changelog: https://pyup.io/changelogs/django/ - Homepage: https://www.djangoproject.com/