Merge branch 'tseaver-jp_exploit_fix'

1 files changed, 13 insertions, 0 deletions

diff --git a/CHANGES.rst b/CHANGES.rst
index 035162a14..46f7fbc18 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -14,9 +14,22 @@ Features
 Bug Fixes
 ---------
 
+- Removed support for null-bytes in the path when making a request for a file
+  against a static_view. Whille null-bytes are allowed by the HTTP
+  specification, due to the handling of null-bytes potentially leading to
+  security vulnerabilities it is no longer supported.
+
+  This fixes a security vulnerability that is present due to a bug in Python
+  3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an
+  ``index.html`` one directory up from the static views path.
+
+  Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue.
+
 Backward Incompatibilities
 --------------------------
 
+- Requests to a static_view are no longer allowed to contain a null-byte in any
+  part of the path segment.
 - Pyramid is no longer tested on, nor supports Python 3.6
 - Pyramid drops support for l*gettext() methods in the i18n module.
   These have been deprecated in Python's gettext module since 3.8, and