1. ===========================

  2. Django 2.1.11 release notes

  3. ===========================

  4. 

  5. *August 1, 2019*

  6. 

  7. Django 2.1.11 fixes security issues in 2.1.10.

  8. 

  9. CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``

  10. ================================================================================

  11. 

  12. If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods

  13. were passed the ``html=True`` argument, they were extremely slow to evaluate

  14. certain inputs due to a catastrophic backtracking vulnerability in a regular

  15. expression. The ``chars()`` and ``words()`` methods are used to implement the

  16. :tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template

  17. filters, which were thus vulnerable.

  18. 

  19. The regular expressions used by ``Truncator`` have been simplified in order to

  20. avoid potential backtracking issues. As a consequence, trailing punctuation may

  21. now at times be included in the truncated output.

  22. 

  23. CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``

  24. =================================================================

  25. 

  26. Due to the behavior of the underlying ``HTMLParser``,

  27. :func:`django.utils.html.strip_tags` would be extremely slow to evaluate

  28. certain inputs containing large sequences of nested incomplete HTML entities.

  29. The ``strip_tags()`` method is used to implement the corresponding

  30. :tfilter:`striptags` template filter, which was thus also vulnerable.

  31. 

  32. ``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress

  33. removing tags, but necessarily incomplete HTML entities, stops being made.

  34. 

  35. Remember that absolutely NO guarantee is provided about the results of

  36. ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a

  37. ``strip_tags()`` call without escaping it first, for example with

  38. :func:`django.utils.html.escape`.

  39. 

  40. CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``

  41. ====================================================================================================

  42. 

  43. :lookup:`Key and index lookups <jsonfield.key>` for

  44. ``django.contrib.postgres.fields.JSONField`` and :lookup:`key lookups

  45. <hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`

  46. were subject to SQL injection, using a suitably crafted dictionary, with

  47. dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.

  48. 

  49. CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``

  50. =====================================================================================

  51. 

  52. If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead

  53. to significant memory usage due to excessive recursion when re-percent-encoding

  54. invalid UTF-8 octet sequences.

  55. 

  56. ``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8

  57. octet sequences.
About Sign Up Leave Feedback Contact