diff options
author | Bob Ippolito <bob@redivi.com> | 2023-04-06 10:26:00 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-06 10:26:00 -0700 |
commit | 1a4995dca71e02957d81becd7a053c9b4f19aceb (patch) | |
tree | d97740dcd5e2185c30ab20550fe35558806dfac0 /CHANGES.txt | |
parent | 9559fc756deaf20b6bae961b58c5289d8582c8b7 (diff) | |
parent | ec4a3d5c7299b16a9bf4d431fa16f466cc453697 (diff) | |
download | simplejson-1a4995dca71e02957d81becd7a053c9b4f19aceb.tar.gz |
Merge pull request #313 from simplejson/audit-fixesv3.19.0
Implement recommended fixes from OSTIF audit
Diffstat (limited to 'CHANGES.txt')
-rw-r--r-- | CHANGES.txt | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index d2f7a94..c3e176c 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,3 +1,31 @@ +Version 3.19.0 released 2023-04-06 + +* This release contains security hardening measures based on recommendations + by a security audit sponsored by OSTIF and conducted by X41 D-Sec GmbH. + Several of these measures include changing defaults to be more strict, + by default simplejson will now only consume and produce compliant JSON, + but the flags still exist for any backwards compatibility needs. + No high priority issues were discovered, the reference count + leak is thought to be unreachable since the digits of the float are + checked before PyOS_string_to_double is called. + A link to the public version of this report will be included in a + future release of simplejson. The following fixes were implemented in + one PR: https://github.com/simplejson/simplejson/pull/313 +* Fix invalid handling of unicode escape sequences in the pure Python + implementation of the decoder (SJ-PT-23-01) +* Fix missing reference count decrease if PyOS_string_to_double raises + an exception in Python 2.x; was probably unreachable (SJ-PT-23-02) +* Backport the integer string length limitation from Python 3.11 to + limit quadratic number parsing (SJ-PT-23-03) +* Fix inconsistencies with error messages between the C and Python + implementations (SJ-PT-23-100) +* Remove unused unichr import from encoder (SJ-PT-23-101) +* Remove unused namedtuple_as_object and tuple_as_array arguments from + simplejson.load (SJ-PT-23-102) +* Remove vestigial _one_shot code from iterencode (SJ-PT-23-103) +* Change default of allow_nan from True to False and add allow_nan + to decoder (SJ-PT-23-107) + Version 3.18.4 released 2023-03-14 * Test the sdist to prevent future regressions |