1
0
mirror of https://github.com/django/django.git synced 2024-12-23 09:36:06 +00:00
Commit Graph

10 Commits

Author SHA1 Message Date
Florian Apolloner
76ed1c49f8 Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri().
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Mariusz Felisiak
7deeabc7c7 Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection.
Thanks to Sage M. Abdullah for the report and initial patch.
Thanks Florian Apolloner for reviews.
2019-08-01 09:24:54 +02:00
Florian Apolloner
4b78420d25 Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities.
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Florian Apolloner
7f65974f82 Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML.
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Carlton Gibson
f13147c8de Added stub release notes for security releases. 2019-07-25 10:49:30 +02:00
Tom Forbes
fc75694257 Fixed #30647 -- Fixed crash of autoreloader when extra directory cannot be resolved. 2019-07-24 14:08:37 +02:00
Tom Forbes
2ff517ccb6 Fixed #30506 -- Fixed crash of autoreloader when path contains null characters. 2019-07-23 10:03:23 +02:00
Mariusz Felisiak
7991111af1
Fixed #30621 -- Fixed crash of __contains lookup for Date/DateTimeRangeField when the right hand side is the same type.
Thanks Tilman Koschnick for the report and initial patch.
Thanks Carlton Gibson the review.

Regression in 6b048b364c.
2019-07-10 10:33:36 +02:00
Simon Charette
ee6e93ec87 Fixed #30628 -- Adjusted expression identity to differentiate bound fields.
Expressions referring to different bound fields should not be
considered equal.

Thanks Julien Enselme for the detailed report.

Regression in bc7e288ca9.
2019-07-10 07:46:08 +02:00
Mariusz Felisiak
08e69cad9c Added stub release notes for 2.2.4. 2019-07-09 07:39:35 +02:00