mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 14:16:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().

Browse Source 
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
This commit is contained in:
Sarah Boyce
2025-04-08 16:30:17 +02:00
committed by Natalia
parent f7d97dd118
commit 9f3419b519
5 changed files with 53 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/releases/4.2.21.txt
View File

@@ -7,6 +7,17 @@ Django 4.2.21 release notes
Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug,
and a regression in 4.2.20.
CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
=================================================================
:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the :tfilter:`striptags` template filter, which was thus also
vulnerable.
:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
exception if it encounters an unusually large number of unclosed opening tags.
Bugfixes
========

11
docs/releases/5.1.9.txt
View File

@@ -7,6 +7,17 @@ Django 5.1.9 release notes
Django 5.1.9 fixes a security issue with severity "moderate", a data loss bug,
and a regression in 5.1.8.
CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
=================================================================
:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the :tfilter:`striptags` template filter, which was thus also
vulnerable.
:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
exception if it encounters an unusually large number of unclosed opening tags.
Bugfixes
========

11
docs/releases/5.2.1.txt
View File

@@ -7,6 +7,17 @@ Django 5.2.1 release notes
Django 5.2.1 fixes a security issue with severity "moderate" and several bugs
in 5.2.
CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
=================================================================
:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the :tfilter:`striptags` template filter, which was thus also
vulnerable.
:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
exception if it encounters an unusually large number of unclosed opening tags.
Bugfixes
========