Django 2.1.11 release notes
Django 2.1.11 fixes security issues in 2.1.10.
If django.utils.text.Truncator
‘s chars()
and words()
methods were passed the html=True
argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars()
and words()
methods are used to implement the and truncatewords_html
template filters, which were thus vulnerable.
Due to the behavior of the underlying HTMLParser
, would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags()
method is used to implement the corresponding striptags
template filter, which was thus also vulnerable.
strip_tags()
now avoids recursive calls to HTMLParser
when progress removing tags, but necessarily incomplete HTML entities, stops being made.
for JSONField
and for HStoreField
were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs
passed to QuerySet.filter()
.
If passed certain inputs, could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences.