django http://cgit.adnoto.dev/django.git/atom?h=4.2.27 2025-12-02T12:45:57Z 2025-12-02T12:45:57Z Natalia 124304+nessita@users.noreply.github.com 2025-12-02T12:45:57Z urn:sha1:5948e6657f8cb6aeaab1a5a45640d089230f461a 2025-12-02T12:44:40Z Shai Berger shai@platonix.com 2025-10-11T18:42:56Z urn:sha1:4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0 Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main. 2025-12-02T12:44:19Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-17T22:09:54Z urn:sha1:f997037b235f6b5c9e7c4a501491ec45f3400f3d Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews. Backport of 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e from main. 2025-11-26T23:08:24Z Natalia 124304+nessita@users.noreply.github.com 2025-11-26T16:22:52Z urn:sha1:4b5dcc96f2996150ff2675233ec0a69f67b7dc9b This also fixed a small bash issue in `confirm_release.sh` script. Backport of 532c1058a7dd2616181259c94eb92f2477038d2c from main. 2025-11-26T23:04:08Z Natalia 124304+nessita@users.noreply.github.com 2025-11-26T20:22:53Z urn:sha1:0e85bdbde1c1fdbd3a92cdb6d31fab788811da63 The fix landed in a8cf8c292cfee98fe6cc873ca5221935f1d02271 will be backported to 5.1 and 4.2 since the 2048 limit was rolled out as part of the security release for CVE-2025-64458. Backport of 18b13cf6c48ff0a20b2a74d3b90d1fc1602608e4 from main. 2025-11-26T20:31:17Z varunkasyap varunkasyap@hotmail.com 2025-11-26T17:28:24Z urn:sha1:e6973490373dca340e36f2db3eae1eb26a6a2d80 Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main. 2025-11-26T13:05:32Z Natalia 124304+nessita@users.noreply.github.com 2025-11-26T01:18:50Z urn:sha1:7d7f27bc9881dede6337212db1e9ccdbd37addae GitHub Actions defaults to a 360-minute (6-hour) timeout. We've had jobs hang due to issues in the parallel test runner, causing them to run for the full 6 hours. This wastes resources and negatively impacts CI availability, so explicit timeouts have been added to prevent long-running hangs. Backport of e48527f91d341c85a652499a5baaf725d36ae54f from main. 2025-11-25T18:21:18Z Natalia 124304+nessita@users.noreply.github.com 2025-11-18T16:13:31Z urn:sha1:b40c057c2585d0bc62a7e1c4cd96969ed9acf556 Backport of d62e811acfc6a056e847bfcc460092a98511ed00 from main. 2025-11-21T20:06:02Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-14T19:06:21Z urn:sha1:b794e741296474955742a6af6f8ff86108e72df8 Backport of 846613e521104fa2f2e1c2023e4a1a9886a2ff48 from main. 2025-11-21T20:01:37Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-14T18:58:40Z urn:sha1:6a803907407780f717f30663b2ae3bad43d7ac54 Backport of 86b8058b40145fb5ba4fd859676225f533eca986 from main.