mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity

[5.0.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().

Browse Source 
Thanks Seokchan Yoon for the report.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
This commit is contained in:
Shai Berger
2024-02-19 13:56:37 +01:00
committed by Mariusz Felisiak
parent 80761c3b01
commit 3394fc6132
5 changed files with 105 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/releases/4.2.11.txt
View File

@@ -7,6 +7,14 @@ Django 4.2.11 release notes
Django 4.2.11 fixes a security issue with severity "moderate" and a regression
in 4.2.10.
CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================
``django.utils.text.Truncator.words()`` method (with ``html=True``) and
:tfilter:`truncatewords_html` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
Bugfixes
========