django.git/django/utils, branch stable/5.2.x django http://cgit.adnoto.dev/django.git/atom?h=stable%2F5.2.x 2026-03-03T12:17:39Z [5.2.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation. 2026-03-03T12:17:39Z Natalia 124304+nessita@users.noreply.github.com 2026-01-21T21:03:20Z urn:sha1:b07ed2a1e445efde54fc64cb8c37e0f4f7fe53e5 This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Backport of 019e44f67a8dace67b786e2818938c8691132988 from main. [5.2.x] Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit references from HTML truncation docs. 2026-02-25T16:12:17Z Natalia 124304+nessita@users.noreply.github.com 2026-02-25T13:37:38Z urn:sha1:703777cbbc268f62083c703fa27fa582b54bcc93 Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main. [5.2.x] Fixed #36903 -- Fixed further NameErrors when inspecting functions with deferred annotations. 2026-02-10T22:08:13Z 93578237 43147888+93578237@users.noreply.github.com 2026-02-09T21:06:50Z urn:sha1:a4999ef1b9790a4c0e793cf0e5c464e9935c3c3a Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04. Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main. [5.2.x] Fixed CVE-2026-1285 -- Mitigated potential DoS in django.utils.text.Truncator for HTML input. 2026-02-03T13:15:39Z Natalia 124304+nessita@users.noreply.github.com 2026-01-21T12:53:10Z urn:sha1:9f2ada875bbee62ac46032e38ddb22755d67ae5a The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for reviews. Backport of a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 from main. [5.2.x] Fixed #36712 -- Evaluated type annotations lazily in template tag registration. 2025-12-02T01:51:26Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-29T23:45:39Z urn:sha1:da1dfe64c821ba03ca7b0c936184cca1ad641316 Ideally, this will be reverted when an upstream solution is available for https://github.com/python/cpython/issues/141560. Thanks Patrick Rauscher for the report and Augusto Pontes for the first iteration and test. Backport of 34186e731ca20a2344b1f88fd543a854d6b13a00 from main. [5.2.x] Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase. 2025-11-26T20:19:57Z varunkasyap varunkasyap@hotmail.com 2025-11-26T17:28:24Z urn:sha1:0ae15bb52e17768839d057bc1ae3d72f2866458d Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main. [5.2.x] Fixed #36733 -- Escaped attributes in Stylesheet.__str__(). 2025-11-18T22:17:28Z varunkasyap varunkasyap@hotmail.com 2025-11-15T05:06:46Z urn:sha1:001c2f546b4053acb04f16d6b704f7b4fbca1c45 Thanks Mustafa Barakat for the report, Baptiste Mispelon for the triage, and Jake Howard for the review. Backport of e05f2a75695b5f5faa7682d4053db4776d4d6f93 from main. [5.2.x] Fixed #36696 -- Fixed NameError when inspecting functions with deferred annotations. 2025-10-31T12:47:32Z Patrick Rauscher Patrick.Rauscher@deutschebahn.com 2025-10-30T09:13:14Z urn:sha1:6775888470317a6d69121779b489bb2dc7350318 In Python 3.14, annotations are deferred by default, so we should not assume that the names in them have been imported unconditionally. [5.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract(). 2025-10-01T12:25:20Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2025-09-16T15:13:36Z urn:sha1:ed8fc39d77465eddbde1191a054ae965f6a8a584 Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main. [5.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`. 2025-06-04T11:34:51Z Natalia 124304+nessita@users.noreply.github.com 2025-05-20T18:29:52Z urn:sha1:7456aa23dafa149e65e62f95a6550cdb241d55ad Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.