django/docs/releases/1.11.23.txt

============================
Django 1.11.23 release notes
============================

*August 1, 2019*

Django 1.11.23 fixes security issues in 1.11.22.

CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
================================================================================

If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
were passed the ``html=True`` argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
filters, which were thus vulnerable.

The regular expressions used by ``Truncator`` have been simplified in order to
avoid potential backtracking issues. As a consequence, trailing punctuation may
now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``
=================================================================

Due to the behavior of the underlying ``HTMLParser``,
:func:`django.utils.html.strip_tags` would be extremely slow to evaluate
certain inputs containing large sequences of nested incomplete HTML entities.
The ``strip_tags()`` method is used to implement the corresponding
:tfilter:`striptags` template filter, which was thus also vulnerable.

``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress
removing tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
``strip_tags()`` call without escaping it first, for example with
:func:`django.utils.html.escape`.
Added stub release notes for security releases. 2019-07-25 08:49:30 +00:00			`============================`
			`Django 1.11.23 release notes`
			`============================`

			`August 1, 2019`

			`Django 1.11.23 fixes security issues in 1.11.22.`
Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML. Thanks to Guido Vranken for initial report. 2019-07-15 09:46:09 +00:00
			CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
			`================================================================================`

			If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
			were passed the ``html=True`` argument, they were extremely slow to evaluate
			`certain inputs due to a catastrophic backtracking vulnerability in a regular`
			expression. The ``chars()`` and ``words()`` methods are used to implement the
			:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
			`filters, which were thus vulnerable.`

			The regular expressions used by ``Truncator`` have been simplified in order to
			`avoid potential backtracking issues. As a consequence, trailing punctuation may`
			`now at times be included in the truncated output.`
Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities. Thanks to Guido Vranken for initial report. 2019-07-15 10:00:06 +00:00
			CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``
			`=================================================================`

			Due to the behavior of the underlying ``HTMLParser``,
			:func:`django.utils.html.strip_tags` would be extremely slow to evaluate
			`certain inputs containing large sequences of nested incomplete HTML entities.`
			The ``strip_tags()`` method is used to implement the corresponding
			:tfilter:`striptags` template filter, which was thus also vulnerable.

			``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress
			`removing tags, but necessarily incomplete HTML entities, stops being made.`

			`Remember that absolutely NO guarantee is provided about the results of`
			``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
			``strip_tags()`` call without escaping it first, for example with
			:func:`django.utils.html.escape`.