django/docs/releases/4.2.6.txt

==========================
Django 4.2.6 release notes
==========================

*October 4, 2023*

Django 4.2.6 fixes a security issue with severity "moderate" and several bugs
in 4.2.5.

CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
================================================================================

Following the fix for :cve:`2019-14232`, the regular expressions used in the
implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
methods (with ``html=True``) were revised and improved. However, these regular
expressions still exhibited linear backtracking complexity, so when given a
very long, potentially malformed HTML input, the evaluation would still be
slow, leading to a potential denial of service vulnerability.

The ``chars()`` and ``words()`` methods are used to implement the
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
filters, which were thus also vulnerable.

The input processed by ``Truncator``, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.

Bugfixes
========

* Fixed a regression in Django 4.2.5 where overriding the deprecated
  ``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings in tests caused
  the main ``STORAGES`` to mutate (:ticket:`34821`).

* Fixed a regression in Django 4.2 that caused unnecessary casting of string
  based fields (``CharField``, ``EmailField``, ``TextField``, ``CICharField``,
  ``CIEmailField``, and ``CITextField``) used with the ``__isnull`` lookup on
  PostgreSQL. As a consequence, indexes using an ``__isnull`` expression or
  condition created before Django 4.2 wouldn't be used by the query planner,
  leading to a performance regression (:ticket:`34840`).

  You may need to recreate such indexes created in your database with Django
  4.2 to 4.2.5, as they contain unnecessary ``::text`` casting. Find candidate
  indexes with this query:

  .. code-block:: sql

        SELECT indexname, indexdef
        FROM pg_indexes
        WHERE indexdef LIKE '%::text IS %NULL';
Added stub release notes for 4.2.6. 2023-09-04 11:22:22 +00:00			`==========================`
			`Django 4.2.6 release notes`
			`==========================`

Added stub release notes and release date for 4.2.6, 4.1.12, and 3.2.22. 2023-09-27 17:18:40 +00:00			`October 4, 2023`
Added stub release notes for 4.2.6. 2023-09-04 11:22:22 +00:00
Added stub release notes and release date for 4.2.6, 4.1.12, and 3.2.22. 2023-09-27 17:18:40 +00:00			`Django 4.2.6 fixes a security issue with severity "moderate" and several bugs`
			`in 4.2.5.`
Added stub release notes for 4.2.6. 2023-09-04 11:22:22 +00:00
Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text. Thanks Wenchao Li of Alibaba Group for the report. 2023-09-19 12:51:48 +00:00			CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
			`================================================================================`

			Following the fix for :cve:`2019-14232`, the regular expressions used in the
			implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
			methods (with ``html=True``) were revised and improved. However, these regular
			`expressions still exhibited linear backtracking complexity, so when given a`
			`very long, potentially malformed HTML input, the evaluation would still be`
			`slow, leading to a potential denial of service vulnerability.`

			The ``chars()`` and ``words()`` methods are used to implement the
			:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
			`filters, which were thus also vulnerable.`

			The input processed by ``Truncator``, when operating in HTML mode, has been
			`limited to the first five million characters in order to avoid potential`
			`performance and memory issues.`

Added stub release notes for 4.2.6. 2023-09-04 11:22:22 +00:00			`Bugfixes`
			`========`

Fixed #34821 -- Prevented DEFAULT_FILE_STORAGE/STATICFILES_STORAGE settings from mutating the main STORAGES. Regression in 6b965c600054f970bdf94017ecf2e0e6e0a4326b. 2023-09-11 11:04:32 +00:00			`* Fixed a regression in Django 4.2.5 where overriding the deprecated`
			``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings in tests caused
			the main ``STORAGES`` to mutate (:ticket:`34821`).
Fixed #34840 -- Avoided casting string base fields on PostgreSQL. Thanks Alex Vandiver for the report. Regression in 09ffc5c1212d4ced58b708cbbf3dfbfb77b782ca. 2023-09-22 04:01:11 +00:00
			`* Fixed a regression in Django 4.2 that caused unnecessary casting of string`
			based fields (``CharField``, ``EmailField``, ``TextField``, ``CICharField``,
			``CIEmailField``, and ``CITextField``) used with the ``__isnull`` lookup on
Refs #34840 -- Improved release note describing index regression. 2023-10-15 08:27:11 +00:00			PostgreSQL. As a consequence, indexes using an ``__isnull`` expression or
			`condition created before Django 4.2 wouldn't be used by the query planner,`
			leading to a performance regression (:ticket:`34840`).
Fixed #34840 -- Avoided casting string base fields on PostgreSQL. Thanks Alex Vandiver for the report. Regression in 09ffc5c1212d4ced58b708cbbf3dfbfb77b782ca. 2023-09-22 04:01:11 +00:00
Refs #34840 -- Improved release note describing index regression. 2023-10-15 08:27:11 +00:00			`You may need to recreate such indexes created in your database with Django`
			4.2 to 4.2.5, as they contain unnecessary ``::text`` casting. Find candidate
			`indexes with this query:`

			`.. code-block:: sql`

			`SELECT indexname, indexdef`
			`FROM pg_indexes`
			`WHERE indexdef LIKE '%::text IS %NULL';`