django http://cgit.adnoto.dev/django.git/atom?h=stable%2F5.2.x 2025-12-02T12:27:50Z 2025-12-02T12:27:50Z Shai Berger shai@platonix.com 2025-10-11T18:42:56Z urn:sha1:99e7d22f55497278d0bcb2e15e72ef532e62a31d Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main. 2025-12-02T12:27:34Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-17T22:09:54Z urn:sha1:479415ce5249bcdebeb6570c72df2a87f45a7bbf Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews. Backport of 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e from main. 2025-12-02T01:51:26Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-29T23:45:39Z urn:sha1:da1dfe64c821ba03ca7b0c936184cca1ad641316 Ideally, this will be reverted when an upstream solution is available for https://github.com/python/cpython/issues/141560. Thanks Patrick Rauscher for the report and Augusto Pontes for the first iteration and test. Backport of 34186e731ca20a2344b1f88fd543a854d6b13a00 from main. 2025-11-26T20:19:57Z varunkasyap varunkasyap@hotmail.com 2025-11-26T17:28:24Z urn:sha1:0ae15bb52e17768839d057bc1ae3d72f2866458d Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main. 2025-11-25T18:17:14Z Natalia 124304+nessita@users.noreply.github.com 2025-11-18T16:13:31Z urn:sha1:bbbe64a262b214b08575f6ade8c0428df2f8377b Backport of d62e811acfc6a056e847bfcc460092a98511ed00 from main. 2025-11-24T11:15:48Z Simon Charette charette.s@gmail.com 2025-11-24T11:14:38Z urn:sha1:1e7327770c908cb51f888c9269322247fa3525a5 Regression in b8e5a8a9a2a767f584cbe89a878a42363706f939. Refs #36404. The replace_expressions method was innapropriately dealing with falsey but not None source expressions causing them to also be potentially evaluated when __bool__ was invoked (e.g. QuerySet.__bool__ evaluates the queryset). The changes introduced in b8e5a8a9a2, which were to deal with a similar issue, surfaced the problem as aggregation over an annotated queryset requires an inlining (or pushdown) of aggregate references which is achieved through replace_expressions. In cases where an empty Q object was provided as an aggregate filter, such as when the admin facetting feature was used as reported, it would wrongly be turned into None, instead of an empty WhereNode, causing a crash at aggregate filter compilation. Note that the crash signature differed depending on whether or not the backend natively supports aggregate filtering (supports_aggregate_filter_clause) as the fallback, which makes use Case / When expressions, would result in a TypeError instead of a NoneType AttributeError. Thanks Rafael Urben for the report, Antoliny and Youngkwang Yang for the triage. Backport of 2a6e0bd72d4a69725b957d6748a4b834f21b12b5 from main 2025-11-20T22:24:10Z Chris Wesseling chris@maykinmedia.nl 2025-11-20T14:01:14Z urn:sha1:ac9bdcabe10fb7ac0c7e9ebcd879f5e34bee776f Backport of 5834643f43a767fe19f2c6d10217b204e7584ec8 from main. 2025-11-18T22:17:28Z varunkasyap varunkasyap@hotmail.com 2025-11-15T05:06:46Z urn:sha1:001c2f546b4053acb04f16d6b704f7b4fbca1c45 Thanks Mustafa Barakat for the report, Baptiste Mispelon for the triage, and Jake Howard for the review. Backport of e05f2a75695b5f5faa7682d4053db4776d4d6f93 from main. 2025-11-05T14:18:37Z Natalia 124304+nessita@users.noreply.github.com 2025-11-05T14:12:30Z urn:sha1:842200752ccb05a1e53ccdeb32aa82a5c100cfe7 Backport of 6e18c078d5c044a1d22dd6a64ace11d9e5f6d0bc from main.