django.git/django/core/serializers/xml_serializer.py, branch stable/5.2.x django http://cgit.adnoto.dev/django.git/atom?h=stable%2F5.2.x 2025-12-02T12:27:50Z [5.2.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML serializer. 2025-12-02T12:27:50Z Shai Berger shai@platonix.com 2025-10-11T18:42:56Z urn:sha1:99e7d22f55497278d0bcb2e15e72ef532e62a31d Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main. Fixed #36062 -- Handled serialization of CompositePrimaryKeys. 2025-01-08T13:52:59Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2025-01-06T10:40:05Z urn:sha1:6a1a9c0eade674780060cf8af5f5b3375156cdd5 Fixed #35996 -- Fixed database serialization crash when serializing a many-to-many field that had a prefetch. 2024-12-18T09:39:20Z Erica Pisani erica.pisani@floatcard.com 2024-12-18T08:03:02Z urn:sha1:20f9f6180531279785ceabed6ab2f29ab634d8dc Fixed #35236 -- Used Field.attname/column attributes instead of get_attname()/get_attname_column(). 2024-02-20T10:34:00Z Adam Johnson me@adamj.eu 2024-02-19T22:32:55Z urn:sha1:31314980be428c0ab8a6cf40cce0a0c17ead8ec6 Applied Black's 2024 stable style. 2024-01-26T11:45:07Z Mariusz Felisiak felisiak.mariusz@gmail.com 2024-01-26T11:45:07Z urn:sha1:305757aec19c9d5111e4d76095ae0acd66163e4b https://github.com/psf/black/releases/tag/24.1.0 Fixed #34779 -- Avoided unnecessary selection of non-nullable m2m fields without natural keys during serialization. 2023-08-19T08:29:43Z Juan Alvarez juan@sytex.io 2023-08-15T19:53:30Z urn:sha1:517d3bb4dd17e9c51690c98d747b86a0ed8b2fbf By using `select_related(None)` instead of `select_related()`, the unnecessary joins are completely avoided. Note that the current tests already covers the change, when the field is not `null=True`. Regression in f9936deed1ff13b20e18bd9ca2b0750b52706b6c. Fixed #34620 -- Fixed serialization crash on m2m fields without natural keys when base querysets use select_related(). 2023-06-04T18:49:07Z Mariusz Felisiak felisiak.mariusz@gmail.com 2023-06-04T18:49:07Z urn:sha1:f9936deed1ff13b20e18bd9ca2b0750b52706b6c Regression in 19e0587ee596debf77540d6a08ccb6507e60b6a7. Thanks Martin Svoboda for the report. Fixed #33937 -- Optimized serialization of related m2m fields without natural keys. 2022-09-05T18:23:32Z Mark Evans mark@hellobaton.com 2022-09-03T13:53:58Z urn:sha1:19e0587ee596debf77540d6a08ccb6507e60b6a7 Refs #33476 -- Reformatted code with Black. 2022-02-07T19:37:05Z django-bot ops@djangoproject.com 2022-02-03T19:24:19Z urn:sha1:9c19aff7c7561e3a82978a272ecdaad40dda5c00 Fixed #30583 -- Fixed handling JSONFields in XML serializer. 2020-06-17T09:12:18Z Hasan Ramezani hasan.r67@gmail.com 2020-03-23T18:31:49Z urn:sha1:47651eadb8ca7aacddad41da4df64fd2af11faae Co-authored-by: Chason Chaffin <chason@gmail.com>