diff options
author | Florian Apolloner <florian@apolloner.eu> | 2019-07-15 11:46:09 +0200 |
---|---|---|
committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-07-29 11:18:34 +0200 |
commit | 42a66e969023c00536256469f0e8b8a099ef109d (patch) | |
tree | 30c19dbca291367841df1c7514cbb2dbf802a3cc /docs/releases/1.11.23.txt | |
parent | 693046e54b9f207dece1907a2515ce555cec83be (diff) | |
download | django-42a66e969023c00536256469f0e8b8a099ef109d.tar.gz |
[1.11.X] Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML.
Thanks to Guido Vranken for initial report.
Diffstat (limited to 'docs/releases/1.11.23.txt')
-rw-r--r-- | docs/releases/1.11.23.txt | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/1.11.23.txt b/docs/releases/1.11.23.txt index 9a3ab7cbc9..6058bb8a81 100644 --- a/docs/releases/1.11.23.txt +++ b/docs/releases/1.11.23.txt @@ -5,3 +5,17 @@ Django 1.11.23 release notes *August 1, 2019* Django 1.11.23 fixes security issues in 1.11.22. + +CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator`` +================================================================================ + +If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods +were passed the ``html=True`` argument, they were extremely slow to evaluate +certain inputs due to a catastrophic backtracking vulnerability in a regular +expression. The ``chars()`` and ``words()`` methods are used to implement the +:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template +filters, which were thus vulnerable. + +The regular expressions used by ``Truncator`` have been simplified in order to +avoid potential backtracking issues. As a consequence, trailing punctuation may +now at times be included in the truncated output. |