django/docs/releases/5.0.8.txt

==========================
Django 5.0.8 release notes
==========================

*August 6, 2024*

Django 5.0.8 fixes three security issues with severity "moderate", one security
issue with severity "high", and several bugs in 5.0.7.

CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
================================================================================

If :tfilter:`floatformat` received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.

To avoid this, decimals with more than 200 digits are now returned as is.

CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
=======================================================================================================================

:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
======================================================================================

:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
with a ``JSONField`` were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed ``*arg``.

Bugfixes
========

* Added missing validation for ``UniqueConstraint(nulls_distinct=False)`` when
  using ``*expressions`` (:ticket:`35594`).

* Fixed a regression in Django 5.0 where ``ModelAdmin.action_checkbox`` could
  break the admin changelist HTML page when rendering a model instance with a
  ``__html__`` method (:ticket:`35606`).

* Fixed a crash when creating a model with a ``Field.db_default`` and a
  ``Meta.constraints`` constraint composed of ``__endswith``, ``__startswith``,
  or ``__contains`` lookups (:ticket:`35625`).

* Fixed a regression in Django 5.0.7 that caused a crash in
  ``LocaleMiddleware`` when processing a language code over 500 characters
  (:ticket:`35627`).

* Fixed a bug in Django 5.0 that caused a system check crash when
  ``ModelAdmin.date_hierarchy`` was a ``GeneratedField`` with an
  ``output_field`` of ``DateField`` or ``DateTimeField`` (:ticket:`35628`).

* Fixed a bug in Django 5.0 which caused constraint validation to either crash
  or incorrectly raise validation errors for constraints referring to fields
  using ``Field.db_default`` (:ticket:`35638`).

* Fixed a crash in Django 5.0 when saving a model containing a ``FileField``
  with a ``db_default`` set (:ticket:`35657`).
Added stub release notes for 5.0.8. 2024-07-09 14:34:44 +00:00			`==========================`
			`Django 5.0.8 release notes`
			`==========================`

Added stub release notes and release date for 5.0.8 and 4.2.15. 2024-07-31 09:21:32 +00:00			`August 6, 2024`
Added stub release notes for 5.0.8. 2024-07-09 14:34:44 +00:00
Added stub release notes and release date for 5.0.8 and 4.2.15. 2024-07-31 09:21:32 +00:00			`Django 5.0.8 fixes three security issues with severity "moderate", one security`
			`issue with severity "high", and several bugs in 5.0.7.`
Added stub release notes for 5.0.8. 2024-07-09 14:34:44 +00:00
Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com> 2024-07-12 09:38:34 +00:00			CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
			`================================================================================`

			If :tfilter:`floatformat` received a string representation of a number in
			`scientific notation with a large exponent, it could lead to significant memory`
			`consumption.`

			`To avoid this, decimals with more than 200 digits are now returned as is.`

Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters. Thanks to MProgrammer for the report. 2024-07-18 11:19:34 +00:00			CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
			`===========================================================================================`

			:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
			`denial-of-service attack via very large inputs with a specific sequence of`
			`characters.`

Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-07-10 18:30:12 +00:00			CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
			`=======================================================================================================================`

			:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
			`subject to a potential denial-of-service attack via certain inputs with a very`
			`large number of Unicode characters.`

Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields. Thanks Eyal (eyalgabay) for the report. 2024-07-25 16:19:13 +00:00			CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
			`======================================================================================`

			:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
			with a ``JSONField`` were subject to SQL injection in column aliases, via a
			crafted JSON object key as a passed ``*arg``.

Added stub release notes for 5.0.8. 2024-07-09 14:34:44 +00:00			`Bugfixes`
			`========`

Fixed #35594 -- Added unique nulls distinct validation for expressions. Thanks Mark Gensler for the report. 2024-07-14 02:18:21 +00:00			* Added missing validation for ``UniqueConstraint(nulls_distinct=False)`` when
			using ``*expressions`` (:ticket:`35594`).
Fixed #35606, Refs #34045 -- Fixed rendering of ModelAdmin.action_checkbox for models with a __html__ method. Thank you Claude Paroz for the report. Regression in 85366fbca723c9b37d0ac9db1d44e3f1cb188db2. 2024-07-17 13:50:45 +00:00
			* Fixed a regression in Django 5.0 where ``ModelAdmin.action_checkbox`` could
			`break the admin changelist HTML page when rendering a model instance with a`
			``__html__`` method (:ticket:`35606`).
Fixed #35625 -- Fixed a crash when adding a field with db_default and check constraint. This is the exact same issue as refs #30408 but for creating a model with a constraint containing % escapes instead of column addition. All of these issues stem from a lack of SQL and parameters separation from the BaseConstraint DDL generating methods preventing them from being mixed with other parts of the schema alteration logic that do make use of parametrization on some backends (e.g. Postgres, MySQL for DEFAULT). Prior to the addition of Field.db_default and GeneratedField in 5.0 parametrization of DDL was never exercised on model creation so this is effectively a bug with db_default as the GeneratedField case was addressed by refs #35336. Thanks Julien Chaumont for the report and Mariusz Felisiak for the review. 2024-07-23 04:33:31 +00:00
			* Fixed a crash when creating a model with a ``Field.db_default`` and a
			``Meta.constraints`` constraint composed of ``__endswith``, ``__startswith``,
			or ``__contains`` lookups (:ticket:`35625`).
Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. 2024-07-23 10:06:29 +00:00
			`* Fixed a regression in Django 5.0.7 that caused a crash in`
			``LocaleMiddleware`` when processing a language code over 500 characters
			(:ticket:`35627`).
Fixed #35628 -- Allowed compatible GeneratedFields for ModelAdmin.date_hierarchy. 2024-07-24 18:53:06 +00:00
			`* Fixed a bug in Django 5.0 that caused a system check crash when`
			``ModelAdmin.date_hierarchy`` was a ``GeneratedField`` with an
			``output_field`` of ``DateField`` or ``DateTimeField`` (:ticket:`35628`).
Fixed #35638 -- Updated validate_constraints to consider db_default. 2024-08-05 06:22:29 +00:00
			`* Fixed a bug in Django 5.0 which caused constraint validation to either crash`
			`or incorrectly raise validation errors for constraints referring to fields`
			using ``Field.db_default`` (:ticket:`35638`).
Fixed #35657 -- Made FileField handle db_default values. 2024-08-05 19:36:49 +00:00
			* Fixed a crash in Django 5.0 when saving a model containing a ``FileField``
			with a ``db_default`` set (:ticket:`35657`).