mirror of
https://github.com/django/django.git
synced 2024-11-29 06:03:25 +01:00
41 lines
1.7 KiB
Plaintext
41 lines
1.7 KiB
Plaintext
==========================
|
|
Django 2.2.4 release notes
|
|
==========================
|
|
|
|
*August 1, 2019*
|
|
|
|
Django 2.2.4 fixes security issues and several bugs in 2.2.3.
|
|
|
|
CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
|
|
================================================================================
|
|
|
|
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
|
|
were passed the ``html=True`` argument, they were extremely slow to evaluate
|
|
certain inputs due to a catastrophic backtracking vulnerability in a regular
|
|
expression. The ``chars()`` and ``words()`` methods are used to implement the
|
|
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
|
|
filters, which were thus vulnerable.
|
|
|
|
The regular expressions used by ``Truncator`` have been simplified in order to
|
|
avoid potential backtracking issues. As a consequence, trailing punctuation may
|
|
now at times be included in the truncated output.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a regression in Django 2.2 when ordering a ``QuerySet.union()``,
|
|
``intersection()``, or ``difference()`` by a field type present more than
|
|
once results in the wrong ordering being used (:ticket:`30628`).
|
|
|
|
* Fixed a migration crash on PostgreSQL when adding a check constraint
|
|
with a ``contains`` lookup on
|
|
:class:`~django.contrib.postgres.fields.DateRangeField` or
|
|
:class:`~django.contrib.postgres.fields.DateTimeRangeField`, if the right
|
|
hand side of an expression is the same type (:ticket:`30621`).
|
|
|
|
* Fixed a regression in Django 2.2 where auto-reloader crashes if a file path
|
|
contains nulls characters (``'\x00'``) (:ticket:`30506`).
|
|
|
|
* Fixed a regression in Django 2.2 where auto-reloader crashes if a translation
|
|
directory cannot be resolved (:ticket:`30647`).
|