chango.git, branch 5.2.9 django http://cgit.adnoto.dev/chango.git/atom?h=5.2.9 2025-12-02T12:31:25Z [5.2.x] Bumped version for 5.2.9 release. 2025-12-02T12:31:25Z Natalia 124304+nessita@users.noreply.github.com 2025-12-02T12:31:25Z urn:sha1:c14b756185c88f7f2eb745ff061f3c221fea9de7 [5.2.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML serializer. 2025-12-02T12:27:50Z Shai Berger shai@platonix.com 2025-10-11T18:42:56Z urn:sha1:99e7d22f55497278d0bcb2e15e72ef532e62a31d Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main. [5.2.x] Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL injection in column aliases on PostgreSQL. 2025-12-02T12:27:34Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-17T22:09:54Z urn:sha1:479415ce5249bcdebeb6570c72df2a87f45a7bbf Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews. Backport of 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e from main. [5.2.x] Fixed #36712 -- Evaluated type annotations lazily in template tag registration. 2025-12-02T01:51:26Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-29T23:45:39Z urn:sha1:da1dfe64c821ba03ca7b0c936184cca1ad641316 Ideally, this will be reverted when an upstream solution is available for https://github.com/python/cpython/issues/141560. Thanks Patrick Rauscher for the report and Augusto Pontes for the first iteration and test. Backport of 34186e731ca20a2344b1f88fd543a854d6b13a00 from main. [5.2.x] Refs #36743 -- Corrected docstring for DisallowedRedirect. 2025-12-01T19:34:26Z Jacob Walls jacobtylerwalls@gmail.com 2025-12-01T13:54:37Z urn:sha1:e2ddec431395330b423ef193548f374b5c2f395e Backport of ce36c35e76f82f76cdfa5777456e794d481e5afc from main. [5.2.x] Closed temporary files in OverwritingStorageTests.test_save_overwrite_behavior_temp_file(). 2025-12-01T13:48:39Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-26T12:17:39Z urn:sha1:b83ee616c683c5a5879a176a2bbb84cb715a92d5 Backport of a08f1693f37e9aae9eca395020cce0638cb5aa5f from main. [5.2.x] Refs #35535 -- Used intended decorator in test_simple_block_tag_parens(). 2025-12-01T13:39:32Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-30T00:17:50Z urn:sha1:645dc99ab472b9152ccc483d7bbf4eca090da253 Backport of e94b19f6abdda70689aa17e399ce5fdef7897674 from main. [5.2.x] Added link to Python Pickle documentation in docs/topics/cache.txt. 2025-11-30T07:31:32Z Rida Zouga 96395950+ZougaRida@users.noreply.github.com 2025-11-30T07:29:43Z urn:sha1:85586052e8d1d9f160b9f1b351e61a787a8e4bed Co-authored-by: Rida Zouga <ridazouga@gmail.com> Backport of 3ea0195ca57790d7bd6921ecaa32312eabec78d0 from main [5.2.x] Fixed outdated redis-py link in cache docs. 2025-11-27T16:14:31Z Bruno Alla browniebroke@users.noreply.github.com 2025-11-27T16:12:19Z urn:sha1:de1dc3a87427475590d8efe10f3f627397524fca Backport of 7b32485ee98edf7e8b94ad9c8acdccee562bf216 from main. [5.2.x] Highlighted community package upgrade utilities in docs/howto/upgrade-version.txt. 2025-11-27T12:33:11Z Tim Schilling schillingt@better-simple.com 2025-11-13T20:31:50Z urn:sha1:ee92d41f562a229ae6c0e6f625d34e7e9ffdc0bb Backport of bd7940982d6cab386dae7698ab097b91e5d8145e from main.