我的书签
添加书签
移除书签Django 2.2.4 release notes
Django 2.2.4 fixes security issues and several bugs in 2.2.3.
If django.utils.text.Truncator‘s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the and truncatewords_html template filters, which were thus vulnerable.
Due to the behavior of the underlying HTMLParser, would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable.
strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made.
for and for HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter().
If passed certain inputs, could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences.
- Fixed a migration crash on PostgreSQL when adding a check constraint with a
containslookup onDateRangeFieldor , if the right hand side of an expression is the same type (#30621). - Fixed a regression in Django 2.2 where auto-reloader crashes if a file path contains nulls characters () ().
