mirror of
https://github.com/django/django.git
synced 2025-01-04 07:26:38 +00:00
12a19321b4
Backport of 73b2c63127
from main
51 lines
2.1 KiB
Plaintext
51 lines
2.1 KiB
Plaintext
==========================
|
|
Django 4.2.6 release notes
|
|
==========================
|
|
|
|
*October 4, 2023*
|
|
|
|
Django 4.2.6 fixes a security issue with severity "moderate" and several bugs
|
|
in 4.2.5.
|
|
|
|
CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
|
|
================================================================================
|
|
|
|
Following the fix for :cve:`2019-14232`, the regular expressions used in the
|
|
implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
|
|
methods (with ``html=True``) were revised and improved. However, these regular
|
|
expressions still exhibited linear backtracking complexity, so when given a
|
|
very long, potentially malformed HTML input, the evaluation would still be
|
|
slow, leading to a potential denial of service vulnerability.
|
|
|
|
The ``chars()`` and ``words()`` methods are used to implement the
|
|
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
|
|
filters, which were thus also vulnerable.
|
|
|
|
The input processed by ``Truncator``, when operating in HTML mode, has been
|
|
limited to the first five million characters in order to avoid potential
|
|
performance and memory issues.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a regression in Django 4.2.5 where overriding the deprecated
|
|
``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings in tests caused
|
|
the main ``STORAGES`` to mutate (:ticket:`34821`).
|
|
|
|
* Fixed a regression in Django 4.2 that caused unnecessary casting of string
|
|
based fields (``CharField``, ``EmailField``, ``TextField``, ``CICharField``,
|
|
``CIEmailField``, and ``CITextField``) used with the ``__isnull`` lookup on
|
|
PostgreSQL. As a consequence, indexes using an ``__isnull`` expression or
|
|
condition created before Django 4.2 wouldn't be used by the query planner,
|
|
leading to a performance regression (:ticket:`34840`).
|
|
|
|
You may need to recreate such indexes created in your database with Django
|
|
4.2 to 4.2.5, as they contain unnecessary ``::text`` casting. Find candidate
|
|
indexes with this query:
|
|
|
|
.. code-block:: sql
|
|
|
|
SELECT indexname, indexdef
|
|
FROM pg_indexes
|
|
WHERE indexdef LIKE '%::text IS %NULL';
|