django/docs/releases/5.0.10.txt

===========================
Django 5.0.10 release notes
===========================

*December 4, 2024*

Django 5.0.10 fixes one security issue with severity "high" and one security
issue with severity "moderate" in 5.0.9.

CVE-2024-53907: Denial-of-service possibility in ``strip_tags()``
=================================================================

:func:`~django.utils.html.strip_tags` would be extremely slow to evaluate
certain inputs containing large sequences of nested incomplete HTML entities.
The ``strip_tags()`` method is used to implement the corresponding
:tfilter:`striptags` template filter, which was thus also vulnerable.

``strip_tags()`` now has an upper limit of recursive calls to ``HTMLParser``
before raising a :exc:`.SuspiciousOperation` exception.

Remember that absolutely NO guarantee is provided about the results of
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
``strip_tags()`` call without escaping it first, for example with
:func:`django.utils.html.escape`.

CVE-2024-53908: Potential SQL injection via ``HasKey(lhs, rhs)`` on Oracle
==========================================================================

Direct usage of the ``django.db.models.fields.json.HasKey`` lookup on Oracle
was subject to SQL injection if untrusted data was used as a ``lhs`` value.

Applications that use the :lookup:`has_key <jsonfield.has_key>` lookup through
the ``__`` syntax are unaffected.
Added stub release notes and release date for 5.1.4, 5.0.10, and 4.2.17. 2024-11-27 13:30:12 +00:00			`===========================`
			`Django 5.0.10 release notes`
			`===========================`

			`December 4, 2024`

			`Django 5.0.10 fixes one security issue with severity "high" and one security`
			`issue with severity "moderate" in 5.0.9.`
Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags(). Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews. 2024-11-13 14:06:23 +00:00
			CVE-2024-53907: Denial-of-service possibility in ``strip_tags()``
			`=================================================================`

			:func:`~django.utils.html.strip_tags` would be extremely slow to evaluate
			`certain inputs containing large sequences of nested incomplete HTML entities.`
			The ``strip_tags()`` method is used to implement the corresponding
			:tfilter:`striptags` template filter, which was thus also vulnerable.

			``strip_tags()`` now has an upper limit of recursive calls to ``HTMLParser``
			before raising a :exc:`.SuspiciousOperation` exception.

			`Remember that absolutely NO guarantee is provided about the results of`
			``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
			``strip_tags()`` call without escaping it first, for example with
			:func:`django.utils.html.escape`.
Fixed CVE-2024-53908 -- Prevented SQL injections in direct HasKeyLookup usage on Oracle. Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews. 2024-11-09 02:27:31 +00:00
			CVE-2024-53908: Potential SQL injection via ``HasKey(lhs, rhs)`` on Oracle
			`==========================================================================`

			Direct usage of the ``django.db.models.fields.json.HasKey`` lookup on Oracle
			was subject to SQL injection if untrusted data was used as a ``lhs`` value.

			Applications that use the :lookup:`has_key <jsonfield.has_key>` lookup through
			the ``__`` syntax are unaffected.