dependabot-preview[bot]
commented
3 years ago We've just been alerted that this update fixes a security vulnerability:
Sourced from The GitHub Security Advisory Database.
Improper Limitation of a Pathname to a Restricted Directory
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
Affected versions: [">= 3.0, < 3.1.6"]
Bumps django from 3.1.1 to 3.1.7.
Commits
56f2ccc[3.1.x] Bumped version for 3.1.7 release.8f6d431[3.1.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.ht...536d117[3.1.x] Added documentation extlink for bugs.python.org.921ffcb[3.1.x] Fixed #32438 -- Fixed typo in docs/topics/testing/tools.txt.b1416cb[3.1.x] Fixed #32430 -- Doc'd base class-based views.4f5e550[3.1.x] Fixed #32408 -- Doc'd django.views.generic.detail.BaseDetailView.efaf9f4[3.1.x] Fixed backends.postgresql.tests.Tests.test_nodb_cursor_raises_postgre...5dec57a[3.1.x] Fixed #31550 -- Adjusted ASGI test_file_response for various Windows ...30b7717[3.1.x] Corrected typo in advice to new contributors.526a6f0[3.1.x] Refs #32412 -- Adjusted link from tutorial to reference docs.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)