django.git/docs/topics/serialization.txt, branch 4.2.29 django http://cgit.adnoto.dev/django.git/atom?h=4.2.29 2025-12-02T12:44:40Z [4.2.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML serializer. 2025-12-02T12:44:40Z Shai Berger shai@platonix.com 2025-10-11T18:42:56Z urn:sha1:4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0 Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main. [4.2.x] Fixed #34140 -- Reformatted code blocks in docs with blacken-docs. 2023-03-01T12:39:03Z django-bot ops@djangoproject.com 2023-03-01T12:35:43Z urn:sha1:62510f01e76ad0526c94ea6d1bc6399c1ddf3df4 [4.2.x] Refs #34140 -- Corrected rst code-block and various formatting issues in docs. 2023-02-28T11:54:33Z Joseph Victor Zammit jvzammit@gmail.com 2023-01-23T20:29:05Z urn:sha1:5bdd6223a24b2bcd0ee32251d6f3ce20e934a1dd Backport of ba755ca13123d2691a0926ddb64e5d0a2906a880 from main [4.2.x] Refs #34140 -- Applied rst code-block to non-Python examples. 2023-02-10T20:12:06Z Carlton Gibson carlton.gibson@noumenal.es 2023-02-09T15:48:46Z urn:sha1:b784768eef75afb32f6d2ce7166551a528bce0ec Thanks to J.V. Zammit, Paolo Melchiorre, and Mariusz Felisiak for reviews. Backport of 534ac4829764f317cf2fbc4a18354fcc998c1425 from main. [4.2.x] Fixed #34311 -- Updated serialization docs from unique_together to UniqueConstraint. 2023-02-09T04:56:31Z Willem Van Onsem vanonsem.willem@gmail.com 2023-02-04T21:48:44Z urn:sha1:7a88b1f5aaea0c52e16aabbdd7a8ea57ca0f6aea Backport of 292aacaf6c3d6956ca2c51c41e36dbf425389346 from main Refs #30947 -- Changed tuples to lists where appropriate. 2022-08-30T07:57:17Z Alex Morega alex@grep.ro 2022-08-26T14:10:27Z urn:sha1:de6c9c70549010fc39509f9ef3f6a62ada870318 Updated example of YAML serialization format in docs. 2021-12-28T11:44:41Z Sergey Fursov geyser85@gmail.com 2021-12-27T11:51:43Z urn:sha1:feeb0685c62a793c55a058584ba1de45e74f80f7 Removed versionadded/changed annotations for 3.2. 2021-09-20T19:23:01Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-09-16T05:43:34Z urn:sha1:97237ad3feed80407ed1884ea84cf00fd9fea367 Refs #32720 -- Updated various links in docs to avoid redirects and use HTTPS. 2021-05-17T07:46:09Z Nick Pope nick@nickpope.me.uk 2021-04-27T11:09:00Z urn:sha1:c156e369553c75a30c78b8ed54a57b1101865105 Removed versionadded/changed annotations for 3.1. 2021-01-14T16:50:04Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-01-05T10:20:50Z urn:sha1:b7dd89ed5389067cb70294682ffef1ba23d33934