Startseite Erkunden Hilfe
Anmelden
CityApper
/
django
Mirror von https://github.com/django/django
2
0
Fork 0
Dateien Issues 0 Wiki
Struktur: 7cb5712edc
Branches Tags
django
/
docs
/
releases
/
1.11.23.txt

1.11.23.txt 2.8 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. ============================
    2. 

  2. Django 1.11.23 release notes
    3. 

  3. ============================
    4. 

  4. 

  5. *August 1, 2019*
    6. 

  6. 

  7. Django 1.11.23 fixes security issues in 1.11.22.
    8. 

  8. 

  9. CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
    10. 

  10. ================================================================================
    11. 

  11. 

  12. If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
    13. 

  13. were passed the ``html=True`` argument, they were extremely slow to evaluate
    14. 

  14. certain inputs due to a catastrophic backtracking vulnerability in a regular
    15. 

  15. expression. The ``chars()`` and ``words()`` methods are used to implement the
    16. 

  16. :tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
    17. 

  17. filters, which were thus vulnerable.
    18. 

  18. 

  19. The regular expressions used by ``Truncator`` have been simplified in order to
    20. 

  20. avoid potential backtracking issues. As a consequence, trailing punctuation may
    21. 

  21. now at times be included in the truncated output.
    22. 

  22. 

  23. CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``
    24. 

  24. =================================================================
    25. 

  25. 

  26. Due to the behavior of the underlying ``HTMLParser``,
    27. 

  27. :func:`django.utils.html.strip_tags` would be extremely slow to evaluate
    28. 

  28. certain inputs containing large sequences of nested incomplete HTML entities.
    29. 

  29. The ``strip_tags()`` method is used to implement the corresponding
    30. 

  30. :tfilter:`striptags` template filter, which was thus also vulnerable.
    31. 

  31. 

  32. ``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress
    33. 

  33. removing tags, but necessarily incomplete HTML entities, stops being made.
    34. 

  34. 

  35. Remember that absolutely NO guarantee is provided about the results of
    36. 

  36. ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
    37. 

  37. ``strip_tags()`` call without escaping it first, for example with
    38. 

  38. :func:`django.utils.html.escape`.
    39. 

  39. 

  40. CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``
    41. 

  41. ====================================================================================================
    42. 

  42. 

  43. :lookup:`Key and index lookups <jsonfield.key>` for
    44. 

  44. ``django.contrib.postgres.fields.JSONField`` and :lookup:`key lookups
    45. 

  45. <hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
    46. 

  46. were subject to SQL injection, using a suitably crafted dictionary, with
    47. 

  47. dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
    48. 

  48. 

  49. CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``
    50. 

  50. =====================================================================================
    51. 

  51. 

  52. If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
    53. 

  53. to significant memory usage due to excessive recursion when re-percent-encoding
    54. 

  54. invalid UTF-8 octet sequences.
    55. 

  55. 

  56. ``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
    57. 

  57. octet sequences.
    58.