p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Don't characterize XML vulnerabilities as DoS-only.

This commit is contained in:
Carl Meyer 2013-02-19 18:20:08 -07:00
parent 23ef6e1baf
commit c7f80b428b
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/releases/1.5.txt
View File

@ -631,12 +631,11 @@ databases <contrib_app_multiple_databases>` for more information.
XML deserializer will not parse documents with a DTD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In order to prevent exposure to denial-of-service attacks related to external
entity references and entity expansion, the XML model deserializer now refuses
to parse XML documents containing a DTD (DOCTYPE definition). Since the XML
serializer does not output a DTD, this will not impact typical usage, only
cases where custom-created XML documents are passed to Django's model
deserializer.
In order to prevent exposure to attacks related to external entity references
and entity expansion, the XML model deserializer now refuses to parse XML
documents containing a DTD (DOCTYPE definition). Since the XML serializer does
not output a DTD, this will not impact typical usage, only cases where
custom-created XML documents are passed to Django's model deserializer.
Formsets default ``max_num``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~