Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem.

Thanks to Dennis Brinkrolf for the report.

docs/releases/2.2.26.txt

@@ -33,6 +33,11 @@ resolution logic, that will not call methods, nor allow indexing on
 dictionaries.
 
 As a reminder, all untrusted user input should be validated before use.
+CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
+====================================================================
+
+``Storage.save()`` allowed directory-traversal if directly passed suitably
+crafted file names.
 
 This issue has severity "low" according to the :ref:`Django security policy
 <security-disclosure>`.

docs/releases/3.2.11.txt

@@ -33,6 +33,11 @@ resolution logic, that will not call methods, nor allow indexing on
 dictionaries.
 
 As a reminder, all untrusted user input should be validated before use.
+CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
+====================================================================
+
+``Storage.save()`` allowed directory-traversal if directly passed suitably
+crafted file names.
 
 This issue has severity "low" according to the :ref:`Django security policy
 <security-disclosure>`.

docs/releases/4.0.1.txt

@@ -33,6 +33,11 @@ resolution logic, that will not call methods, nor allow indexing on
 dictionaries.
 
 As a reminder, all untrusted user input should be validated before use.
+CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
+====================================================================
+
+``Storage.save()`` allowed directory-traversal if directly passed suitably
+crafted file names.
 
 This issue has severity "low" according to the :ref:`Django security policy
 <security-disclosure>`.