mirror of
https://github.com/django/django.git
synced 2024-12-22 09:05:43 +00:00
8f8dc5a1fc
Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
34 lines
1.4 KiB
Plaintext
34 lines
1.4 KiB
Plaintext
===========================
|
|
Django 4.2.17 release notes
|
|
===========================
|
|
|
|
*December 4, 2024*
|
|
|
|
Django 4.2.17 fixes one security issue with severity "high" and one security
|
|
issue with severity "moderate" in 4.2.16.
|
|
|
|
CVE-2024-53907: Denial-of-service possibility in ``strip_tags()``
|
|
=================================================================
|
|
|
|
:func:`~django.utils.html.strip_tags` would be extremely slow to evaluate
|
|
certain inputs containing large sequences of nested incomplete HTML entities.
|
|
The ``strip_tags()`` method is used to implement the corresponding
|
|
:tfilter:`striptags` template filter, which was thus also vulnerable.
|
|
|
|
``strip_tags()`` now has an upper limit of recursive calls to ``HTMLParser``
|
|
before raising a :exc:`.SuspiciousOperation` exception.
|
|
|
|
Remember that absolutely NO guarantee is provided about the results of
|
|
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
|
|
``strip_tags()`` call without escaping it first, for example with
|
|
:func:`django.utils.html.escape`.
|
|
|
|
CVE-2024-53908: Potential SQL injection via ``HasKey(lhs, rhs)`` on Oracle
|
|
==========================================================================
|
|
|
|
Direct usage of the ``django.db.models.fields.json.HasKey`` lookup on Oracle
|
|
was subject to SQL injection if untrusted data was used as a ``lhs`` value.
|
|
|
|
Applications that use the :lookup:`has_key <jsonfield.has_key>` lookup through
|
|
the ``__`` syntax are unaffected.
|