0
0
mirror of https://github.com/django/django.git synced 2024-11-25 07:59:34 +01:00
django/docs/releases/2.1.11.txt

22 lines
939 B
Plaintext
Raw Normal View History

===========================
Django 2.1.11 release notes
===========================
*August 1, 2019*
Django 2.1.11 fixes security issues in 2.1.10.
CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
================================================================================
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
were passed the ``html=True`` argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
filters, which were thus vulnerable.
The regular expressions used by ``Truncator`` have been simplified in order to
avoid potential backtracking issues. As a consequence, trailing punctuation may
now at times be included in the truncated output.