2018-02-25 08:39:17 +08:00
|
|
|
============================
|
|
|
|
Django 1.11.11 release notes
|
|
|
|
============================
|
|
|
|
|
|
|
|
*March 6, 2018*
|
|
|
|
|
|
|
|
Django 1.11.11 fixes two security issues in 1.11.10.
|
2018-02-25 00:30:11 +08:00
|
|
|
|
|
|
|
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
|
|
|
|
===============================================================================================
|
|
|
|
|
|
|
|
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
|
|
|
|
certain inputs due to catastrophic backtracking vulnerabilities in two regular
|
|
|
|
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
|
|
|
|
``urlizetrunc`` template filters, which were thus vulnerable.
|
|
|
|
|
|
|
|
The problematic regular expressions are replaced with parsing logic that
|
|
|
|
behaves similarly.
|