django.git/docs/releases/5.2.13.txt, branch maindjango
http://cgit.adnoto.dev/django.git/atom?h=main2026-04-07T11:12:27ZFixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ASGI requests.2026-04-07T11:12:27ZNatalia124304+nessita@users.noreply.github.com2026-03-11T13:26:18Zurn:sha1:953c238058c0ce387a1a41cb491bfc1875d73ad0
The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.
This work adds a new check on the actual number of bytes consumed.
Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.
Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.2026-04-07T11:12:23ZNatalia124304+nessita@users.noreply.github.com2026-03-05T17:41:44Zurn:sha1:7e9885f99cee771b51692fadc5592bdbf19641aa
When a multipart file part used `Content-Transfer-Encoding: base64` and
the non-whitespace base64 bytes did not align to a multiple of 4 within
a chunk, the parser entered a loop calling `field_stream.read(1-3)` once
per whitespace byte. Each such call fetched the entire internal buffer,
sliced off 1-3 bytes, and pushed the remainder back via unget(), doing
an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace
produced CPU amplification relative to a normal upload of the same size.
The alignment loop now reads `self._chunk_size` bytes at a time, and
accumulates stripped parts in a list joined once at the end.
Thanks to Seokchan Yoon for the report and the fixing patch.
Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable.2026-04-07T11:12:20ZJacob Wallsjacobtylerwalls@gmail.com2026-03-16T22:05:22Zurn:sha1:6afe7ce93964f56e33a29d477c269436f9b60cbf
Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.
Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelAdmin.2026-04-07T11:12:16ZJacob Wallsjacobtylerwalls@gmail.com2026-03-12T15:00:05Zurn:sha1:ef8b25dcc06d158683a5623ce406d561638f4073
Edit permissions were still checked as part of ordinary form validation,
but because GenericInlineModelAdmin overrides get_formset(), it lacked
InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic
for checking permissions server-side, leaving the add case unaddressed.
This change reimplements the relevant part of InlineModelAdmin.get_formset().
Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart,
Markus Holtermann, and Simon Charette for reviews.
Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.2026-04-07T11:12:09ZJacob Wallsjacobtylerwalls@gmail.com2026-01-22T22:01:46Zurn:sha1:caf90a971f09323775ed0cacf94eadaf39d040e0
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart
for reviews.
Added stub release notes and release date for 6.0.4, 5.2.13, and 4.2.30.2026-03-31T16:26:49ZJacob Wallsjacobtylerwalls@gmail.com2026-03-27T20:13:25Zurn:sha1:dff1980d61b1129c82757f70117dcea68e69a8c8