2019-07-25 08:49:30 +00:00
|
|
|
============================
|
|
|
|
|
Django 1.11.23 release notes
|
|
|
|
|
============================
|
|
|
|
|
|
|
|
|
|
*August 1, 2019*
|
|
|
|
|
|
|
|
|
|
Django 1.11.23 fixes security issues in 1.11.22.
|
2019-07-15 09:46:09 +00:00
|
|
|
|
|
|
|
|
CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
|
|
|
|
|
================================================================================
|
|
|
|
|
|
|
|
|
|
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
|
|
|
|
|
were passed the ``html=True`` argument, they were extremely slow to evaluate
|
|
|
|
|
certain inputs due to a catastrophic backtracking vulnerability in a regular
|
|
|
|
|
expression. The ``chars()`` and ``words()`` methods are used to implement the
|
|
|
|
|
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
|
|
|
|
|
filters, which were thus vulnerable.
|
|
|
|
|
|
|
|
|
|
The regular expressions used by ``Truncator`` have been simplified in order to
|
|
|
|
|
avoid potential backtracking issues. As a consequence, trailing punctuation may
|
|
|
|
|
now at times be included in the truncated output.
|
