Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with tags.
Release Notes
encode/django-rest-framework (djangorestframework)
### [`v3.15.2`](https://togithub.com/encode/django-rest-framework/compare/3.15.1...3.15.2)
[Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.15.1...3.15.2)
### [`v3.15.1`](https://togithub.com/encode/django-rest-framework/compare/3.15.0...3.15.1)
[Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.15.0...3.15.1)
### [`v3.15.0`](https://togithub.com/encode/django-rest-framework/compare/3.14.0...3.15.0)
[Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.14.0...3.15.0)
### [`v3.14.0`](https://togithub.com/encode/django-rest-framework/releases/tag/3.14.0): Version 3.14.0
[Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.13.1...3.14.0)
- Django 2.2 is no longer supported. [#8662](https://togithub.com/encode/django-rest-framework/issues/8662)
- Django 4.1 compatibility. [#8591](https://togithub.com/encode/django-rest-framework/issues/8591)
- Add `--api-version` CLI option to `generateschema` management command. [#8663](https://togithub.com/encode/django-rest-framework/issues/8663)
- Enforce `is_valid(raise_exception=False)` as a keyword-only argument. [#7952](https://togithub.com/encode/django-rest-framework/issues/7952)
- Stop calling `set_context` on Validators. [#8589](https://togithub.com/encode/django-rest-framework/issues/8589)
- Return `NotImplemented` from `ErrorDetails.__ne__`. [#8538](https://togithub.com/encode/django-rest-framework/issues/8538)
- Don't evaluate `DateTimeField.default_timezone` when a custom timezone is set. [#8531](https://togithub.com/encode/django-rest-framework/issues/8531)
- Make relative URLs clickable in Browseable API. [#8464](https://togithub.com/encode/django-rest-framework/issues/8464)
- Support `ManyRelatedField` falling back to the default value when the attribute specified by dot notation doesn't exist. Matches `ManyRelatedField.get_attribute` to `Field.get_attribute`. [#7574](https://togithub.com/encode/django-rest-framework/issues/7574)
- Make `schemas.openapi.get_reference` public. [#7515](https://togithub.com/encode/django-rest-framework/issues/7515)
- Make `ReturnDict` support `dict` union operators on Python 3.9 and later. [#8302](https://togithub.com/encode/django-rest-framework/issues/8302)
- Update throttling to check if `request.user` is set before checking if the user is authenticated. [#8370](https://togithub.com/encode/django-rest-framework/issues/8370)
### [`v3.13.1`](https://togithub.com/encode/django-rest-framework/releases/tag/3.13.1): Version 3.13.1
[Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.13.0...3.13.1)
- Revert schema naming changes with function based `@api_view`. [#8297](https://togithub.com/encode/django-rest-framework/issues/8297)
### [`v3.13.0`](https://togithub.com/encode/django-rest-framework/releases/tag/3.13.0): Version 3.13.0
[Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.12.4...3.13.0)
- Django 4.0 compatability. [#8178](https://togithub.com/encode/django-rest-framework/issues/8178)
- Add `max_length` and `min_length` options to `ListSerializer`. [#8165](https://togithub.com/encode/django-rest-framework/issues/8165)
- Add `get_request_serializer` and `get_response_serializer` hooks to `AutoSchema`. [#7424](https://togithub.com/encode/django-rest-framework/issues/7424)
- Fix OpenAPI representation of null-able read only fields. [#8116](https://togithub.com/encode/django-rest-framework/issues/8116)
- Respect `UNICODE_JSON` setting in API schema outputs. [#7991](https://togithub.com/encode/django-rest-framework/issues/7991)
- Fix for `RemoteUserAuthentication`. [#7158](https://togithub.com/encode/django-rest-framework/issues/7158)
- Make Field constructors keyword-only. [#7632](https://togithub.com/encode/django-rest-framework/issues/7632)
Configuration
π Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
==3.12.4->==3.15.2GitHub Vulnerability Alerts
CVE-2024-21520
Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with
tags.
Release Notes
encode/django-rest-framework (djangorestframework)
### [`v3.15.2`](https://togithub.com/encode/django-rest-framework/compare/3.15.1...3.15.2) [Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.15.1...3.15.2) ### [`v3.15.1`](https://togithub.com/encode/django-rest-framework/compare/3.15.0...3.15.1) [Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.15.0...3.15.1) ### [`v3.15.0`](https://togithub.com/encode/django-rest-framework/compare/3.14.0...3.15.0) [Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.14.0...3.15.0) ### [`v3.14.0`](https://togithub.com/encode/django-rest-framework/releases/tag/3.14.0): Version 3.14.0 [Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.13.1...3.14.0) - Django 2.2 is no longer supported. [#8662](https://togithub.com/encode/django-rest-framework/issues/8662) - Django 4.1 compatibility. [#8591](https://togithub.com/encode/django-rest-framework/issues/8591) - Add `--api-version` CLI option to `generateschema` management command. [#8663](https://togithub.com/encode/django-rest-framework/issues/8663) - Enforce `is_valid(raise_exception=False)` as a keyword-only argument. [#7952](https://togithub.com/encode/django-rest-framework/issues/7952) - Stop calling `set_context` on Validators. [#8589](https://togithub.com/encode/django-rest-framework/issues/8589) - Return `NotImplemented` from `ErrorDetails.__ne__`. [#8538](https://togithub.com/encode/django-rest-framework/issues/8538) - Don't evaluate `DateTimeField.default_timezone` when a custom timezone is set. [#8531](https://togithub.com/encode/django-rest-framework/issues/8531) - Make relative URLs clickable in Browseable API. [#8464](https://togithub.com/encode/django-rest-framework/issues/8464) - Support `ManyRelatedField` falling back to the default value when the attribute specified by dot notation doesn't exist. Matches `ManyRelatedField.get_attribute` to `Field.get_attribute`. [#7574](https://togithub.com/encode/django-rest-framework/issues/7574) - Make `schemas.openapi.get_reference` public. [#7515](https://togithub.com/encode/django-rest-framework/issues/7515) - Make `ReturnDict` support `dict` union operators on Python 3.9 and later. [#8302](https://togithub.com/encode/django-rest-framework/issues/8302) - Update throttling to check if `request.user` is set before checking if the user is authenticated. [#8370](https://togithub.com/encode/django-rest-framework/issues/8370) ### [`v3.13.1`](https://togithub.com/encode/django-rest-framework/releases/tag/3.13.1): Version 3.13.1 [Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.13.0...3.13.1) - Revert schema naming changes with function based `@api_view`. [#8297](https://togithub.com/encode/django-rest-framework/issues/8297) ### [`v3.13.0`](https://togithub.com/encode/django-rest-framework/releases/tag/3.13.0): Version 3.13.0 [Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.12.4...3.13.0) - Django 4.0 compatability. [#8178](https://togithub.com/encode/django-rest-framework/issues/8178) - Add `max_length` and `min_length` options to `ListSerializer`. [#8165](https://togithub.com/encode/django-rest-framework/issues/8165) - Add `get_request_serializer` and `get_response_serializer` hooks to `AutoSchema`. [#7424](https://togithub.com/encode/django-rest-framework/issues/7424) - Fix OpenAPI representation of null-able read only fields. [#8116](https://togithub.com/encode/django-rest-framework/issues/8116) - Respect `UNICODE_JSON` setting in API schema outputs. [#7991](https://togithub.com/encode/django-rest-framework/issues/7991) - Fix for `RemoteUserAuthentication`. [#7158](https://togithub.com/encode/django-rest-framework/issues/7158) - Make Field constructors keyword-only. [#7632](https://togithub.com/encode/django-rest-framework/issues/7632)Configuration
π Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.