[1.6.x] Fixed DoS possibility in ModelMultipleChoiceField.

This is a security fix. Disclosure following shortly. Thanks Keryn Knight for the report and initial patch.
2025-10-31 09:41:08 +00:00 · 2014-12-11 08:31:03 -05:00
parent 553779c405
commit d7a06ee7e5
3 changed files with 53 additions and 5 deletions
--- a/docs/releases/1.6.10.txt
+++ b/docs/releases/1.6.10.txt
@@ -58,3 +58,12 @@ Note, however, that this view has always carried a warning that it is not
 hardened for production use and should be used only as a development aid. Now
 may be a good time to audit your project and serve your files in production
 using a real front-end web server if you are not doing so.
+
+Database denial-of-service with ``ModelMultipleChoiceField``
+============================================================
+
+Given a form that uses ``ModelMultipleChoiceField`` and
+``show_hidden_initial=True`` (not a documented API), it was possible for a user
+to cause an unreasonable number of SQL queries by submitting duplicate values
+for the field's data. The validation logic in ``ModelMultipleChoiceField`` now
+deduplicates submitted values to address this issue.