1. ===========================

  2. Django 3.1.10 release notes

  3. ===========================

  4. 

  5. *May 6, 2021*

  6. 

  7. Django 3.1.10 fixes a security issue in 3.1.9.

  8. 

  9. CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+

  10. ===============================================================================================================

  11. 

  12. On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit

  13. newlines and tabs. If you used values with newlines in HTTP response, you could

  14. suffer from header injection attacks. Django itself wasn't vulnerable because

  15. :class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.

  16. 

  17. Moreover, the ``URLField`` form field which uses ``URLValidator`` silently

  18. removes newlines and tabs on Python 3.9.5+, so the possibility of newlines

  19. entering your data only existed if you are using this validator outside of the

  20. form fields.

  21. 

  22. This issue was introduced by the :bpo:`43882` fix.
About Sign Up Leave Feedback Contact