mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[5.0.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.

Browse Source 
Thank you sw0rd1ight for the report.

Backport of 39e2297210 from main.
This commit is contained in:
Sarah Boyce
2025-03-06 15:24:56 +01:00
parent 2be56bc534
commit 8c6871b097
5 changed files with 34 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/releases/5.0.14.txt
View File

@@ -5,3 +5,13 @@ Django 5.0.14 release notes
*April 2, 2025*
Django 5.0.14 fixes a security issue with severity "moderate" in 5.0.13.
CVE-2025-27556: Potential denial-of-service vulnerability in ``LoginView``, ``LogoutView``, and ``set_language()`` on Windows
=============================================================================================================================
Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, :class:`~django.contrib.auth.views.LoginView`,
:class:`~django.contrib.auth.views.LogoutView`, and
:func:`~django.views.i18n.set_language` were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters.