django http://cgit.adnoto.dev/django.git/atom?h=main 2026-04-22T18:25:08Z 2026-04-22T18:25:08Z Dinesh dineshthumma15@gmail.com 2026-03-21T17:21:11Z urn:sha1:dc467fdc3b5744cec71fab876c23a14013e2510b 2026-04-07T11:12:27Z Natalia 124304+nessita@users.noreply.github.com 2026-03-11T13:26:18Z urn:sha1:953c238058c0ce387a1a41cb491bfc1875d73ad0 The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews. 2026-04-07T11:12:23Z Natalia 124304+nessita@users.noreply.github.com 2026-03-05T17:41:44Z urn:sha1:7e9885f99cee771b51692fadc5592bdbf19641aa When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch. 2026-02-24T18:44:42Z sammiee5311 sammiee5311@gmail.com 2026-02-16T03:21:03Z urn:sha1:e84dc8715e91d51364ba6bda2b2fb07e7a8b750e Added LookupError to the except clause so invalid headers are silently skipped, consistent with other malformed header handling. 2026-02-10T22:59:02Z farhan farhanalirazaazeemi@gmail.com 2026-01-05T19:34:39Z urn:sha1:7732f942a98a709750fc1fed2c69741183844a3c 2025-11-26T20:17:46Z varunkasyap varunkasyap@hotmail.com 2025-11-26T17:28:24Z urn:sha1:a8cf8c292cfee98fe6cc873ca5221935f1d02271 Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. 2025-11-05T12:20:57Z Jacob Walls jacobtylerwalls@gmail.com 2025-10-16T20:28:33Z urn:sha1:c880530ddd4fabd5939bab0e148bebe36699432a Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821. 2025-08-28T17:25:36Z Jake Howard git@theorangeone.net 2025-08-20T15:04:48Z urn:sha1:41ff30f6f9d072036be1f74db8f0c8b21565299f Header parsing should apply only to the header value. The previous implementation happened to work but relied on unintended behavior. 2025-07-23T23:17:55Z django-bot ops@djangoproject.com 2025-07-23T03:41:41Z urn:sha1:69a93a88edb56ba47f624dac7a21aacc47ea474f Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. 2025-07-23T23:17:55Z Mike Edmunds medmunds@gmail.com 2025-07-23T03:40:48Z urn:sha1:55b0cc21310b76ce4018dd793ba50556eaf0af06 Manually reformatted some long docstrings and comments that would be damaged by the to-be-applied autofixer script, in cases where editorial judgment seemed necessary for style or wording changes.