Django 2.2.4 release notes
Django 2.2.4 fixes security issues and several bugs in 2.2.3.
If django.utils.text.Truncator
‘s chars()
and words()
methods were passed the html=True
argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars()
and words()
methods are used to implement the and truncatewords_html
template filters, which were thus vulnerable.
Due to the behavior of the underlying HTMLParser
, would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags()
method is used to implement the corresponding striptags
template filter, which was thus also vulnerable.
strip_tags()
now avoids recursive calls to HTMLParser
when progress removing tags, but necessarily incomplete HTML entities, stops being made.
for and for HStoreField
were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs
passed to QuerySet.filter()
.
If passed certain inputs, could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences.
- Fixed a migration crash on PostgreSQL when adding a check constraint with a
contains
lookup onDateRangeField
or , if the right hand side of an expression is the same type (#30621). - Fixed a regression in Django 2.2 where auto-reloader crashes if a file path contains nulls characters () ().