首頁 探索 說明
登入
CityApper
/
django
镜像来自 https://github.com/django/django
2
0
複刻 0
Files 問題管理 0 Wiki
目錄樹: 8e7a44e4be
分支列表 標籤列表
django
/
docs
/
releases
/
5.0.7.txt

5.0.7.txt 2.5 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. ==========================
    2. 

  2. Django 5.0.7 release notes
    3. 

  3. ==========================
    4. 

  4. 

  5. *July 9, 2024*
    6. 

  6. 

  7. Django 5.0.7 fixes two security issues with severity "moderate", two security
    8. 

  8. issues with severity "low", and several bugs in 5.0.6.
    9. 

  9. 

  10. CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
    11. 

  11. ===========================================================================================
    12. 

  12. 

  13. :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
    14. 

  14. denial-of-service attack via certain inputs with a very large number of
    15. 

  15. brackets.
    16. 

  16. 

  17. CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
    18. 

  18. ================================================================================================
    19. 

  19. 

  20. The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
    21. 

  21. allowed remote attackers to enumerate users via a timing attack involving login
    22. 

  22. requests for users with unusable passwords.
    23. 

  23. 

  24. CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
    25. 

  25. ====================================================================
    26. 

  26. 

  27. Derived classes of the :class:`~django.core.files.storage.Storage` base class
    28. 

  28. which override :meth:`generate_filename()
    29. 

  29. <django.core.files.storage.Storage.generate_filename()>` without replicating
    30. 

  30. the file path validations existing in the parent class, allowed for potential
    31. 

  31. directory-traversal via certain inputs when calling :meth:`save()
    32. 

  32. <django.core.files.storage.Storage.save()>`.
    33. 

  33. 

  34. Built-in ``Storage`` sub-classes were not affected by this vulnerability.
    35. 

  35. 

  36. CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
    37. 

  37. =================================================================================================
    38. 

  38. 

  39. :meth:`~django.utils.translation.get_supported_language_variant` was subject to
    40. 

  40. a potential denial-of-service attack when used with very long strings
    41. 

  41. containing specific characters.
    42. 

  42. 

  43. To mitigate this vulnerability, the language code provided to
    44. 

  44. :meth:`~django.utils.translation.get_supported_language_variant` is now parsed
    45. 

  45. up to a maximum length of 500 characters.
    46. 

  46. 

  47. When the language code is over 500 characters, a :exc:`ValueError` will now be
    48. 

  48. raised if ``strict`` is ``True``, or if there is no generic variant and
    49. 

  49. ``strict`` is ``False``.
    50. 

  50. 

  51. Bugfixes
    52. 

  52. ========
    53. 

  53. 

  54. * Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
    55. 

  55.   unsaved model instances with a ``GeneratedField`` and certain defined
    56. 

  56.   :attr:`Meta.constraints <django.db.models.Options.constraints>`
    57. 

  57.   (:ticket:`35560`).
    58.