2023-09-28 01:18:40 +08:00
|
|
|
===========================
|
|
|
|
Django 4.1.12 release notes
|
|
|
|
===========================
|
|
|
|
|
|
|
|
*October 4, 2023*
|
|
|
|
|
|
|
|
Django 4.1.12 fixes a security issue with severity "moderate" in 4.1.11.
|
|
|
|
|
2023-09-19 20:51:48 +08:00
|
|
|
CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
|
|
|
|
================================================================================
|
|
|
|
|
|
|
|
Following the fix for :cve:`2019-14232`, the regular expressions used in the
|
|
|
|
implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
|
|
|
|
methods (with ``html=True``) were revised and improved. However, these regular
|
|
|
|
expressions still exhibited linear backtracking complexity, so when given a
|
|
|
|
very long, potentially malformed HTML input, the evaluation would still be
|
|
|
|
slow, leading to a potential denial of service vulnerability.
|
|
|
|
|
|
|
|
The ``chars()`` and ``words()`` methods are used to implement the
|
|
|
|
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
|
|
|
|
filters, which were thus also vulnerable.
|
|
|
|
|
|
|
|
The input processed by ``Truncator``, when operating in HTML mode, has been
|
|
|
|
limited to the first five million characters in order to avoid potential
|
|
|
|
performance and memory issues.
|