Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.

[Carlton Gibson <carlton.gibson () gmail com>]

See: https://www.djangoproject.com/weblog/2022/aug/03/security-releases/

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django
team
is issuing
`Django 4.0.7 <https://docs.djangoproject.com/en/dev/releases/4.0.7/>`_, and
`Django 3.2.15 <https://docs.djangoproject.com/en/dev/releases/3.2.15/>`_.
These releases addresses the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2022-36359: Potential reflected file download vulnerability in
``FileResponse``
===================================================================================

An application may have been vulnerable to a reflected file download (RFD)
attack that sets the Content-Disposition header of a ``FileResponse``
when the ``filename`` was derived from
user-supplied input. The ``filename`` is now escaped to avoid this
possibility.

This issue has high severity, according to the Django security policy.

Thanks to Motoyasu Saburi for the report.

Affected supported versions
===========================

* Django main branch
* Django 4.1 (which will be released in a separate blog post later today)
* Django 4.0
* Django 3.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main branch and
the
4.1, 4.0, and 3.2 release branches. The patches may be obtained from the
following changesets:

* On the `main branch <
https://github.com/django/django/commit/bd062445cffd3f6cc6dcd20d13e2abed818fa173
> `__
* On the `4.1 release branch <
https://github.com/django/django/commit/46916665f9aa729067ef894e994854ecf9223157
> `__
* On the `4.0 release branch <
https://github.com/django/django/commit/b7d9529cbe0af4adabb6ea5d01ed8dcce3668fb3
> `__
* On the `3.2 release branch <
https://github.com/django/django/commit/b3e4494d759202a3b6bf247fd34455bf13be5b80
> `__

The following releases have been issued:

* Django 4.0.7 (`download Django 4.0.7 <
https://www.djangoproject.com/m/releases/4.0/Django-4.0.7.tar.gz>`_ |
`4.0.7 checksums <
https://www.djangoproject.com/m/pgp/Django-4.0.7.checksum.txt>`_)
* Django 3.2.15 (`download Django 3.2.15 <
https://www.djangoproject.com/m/releases/3.2/Django-3.2.15.tar.gz>`_ |
`3.2.15 checksums <
https://www.djangoproject.com/m/pgp/Django-3.2.15.checksum.txt>`_)

The PGP key ID used for this release is Carlton Gibson: `E17DF5C82B4F9D00 <
https://github.com/carltongibson.gpg>`_.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.