django.git/tests/serializers/test_xml.py, branch 4.2.27 django http://cgit.adnoto.dev/django.git/atom?h=4.2.27 2025-12-02T12:44:40Z [4.2.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML serializer. 2025-12-02T12:44:40Z Shai Berger shai@platonix.com 2025-10-11T18:42:56Z urn:sha1:4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0 Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main. [4.2.x] Fixed #34620 -- Fixed serialization crash on m2m fields without natural keys when base querysets use select_related(). 2023-06-04T18:49:40Z Mariusz Felisiak felisiak.mariusz@gmail.com 2023-06-04T18:49:07Z urn:sha1:87a4cd559bc47a53c717a45a8b0a181681fe8a32 Regression in 19e0587ee596debf77540d6a08ccb6507e60b6a7. Thanks Martin Svoboda for the report. Backport of f9936deed1ff13b20e18bd9ca2b0750b52706b6c from main Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-07T19:37:05Z Mariusz Felisiak felisiak.mariusz@gmail.com 2022-02-04T07:08:27Z urn:sha1:7119f40c9881666b6f9b5cf7df09ee1d21cc8344 Refs #33476 -- Reformatted code with Black. 2022-02-07T19:37:05Z django-bot ops@djangoproject.com 2022-02-03T19:24:19Z urn:sha1:9c19aff7c7561e3a82978a272ecdaad40dda5c00 Fixed #29249 -- Made JSON and YAML serializers use Unicode by default. 2020-04-28T09:11:39Z Hasan Ramezani hasan.r67@gmail.com 2020-04-23T20:14:32Z urn:sha1:68fc21b3784aa34c7ba5515ab02ef0c7b6ee856d Refs #29249 -- Added tests for serializing Unicode data with XML serializer. 2020-04-28T09:11:39Z Hasan Ramezani hasan.r67@gmail.com 2020-04-27T10:45:46Z urn:sha1:8970bb4cfdc56cb90b84ff2154afe622c9e9eaf7 Fixed #28856 -- Fixed a regression in caching of a GenericForeignKey pointing to a MTI model. 2017-11-30T14:28:44Z Simon Charette charette.s@gmail.com 2017-11-29T06:06:45Z urn:sha1:e50add6ca1605dcc06c8c5a5770342779a4d5124 Regression in b9f8635f58ad743995cad2081b3dc395e55761e5. Refs #23919 -- Removed six.<various>_types usage 2017-01-18T19:18:46Z Claude Paroz claude@2xlibre.net 2016-12-29T15:27:49Z urn:sha1:7b2f2e74adb36a4334e83130f6abc2f79d395235 Thanks Tim Graham and Simon Charette for the reviews. Refs #23919 -- Removed encoding preambles and future imports 2017-01-18T08:55:19Z Claude Paroz claude@2xlibre.net 2016-11-19T17:19:41Z urn:sha1:d7b9aaa366dd54ecc3142c588162e3adc7c2f7ac Separated XML serialization tests 2015-09-26T17:58:43Z Claude Paroz claude@2xlibre.net 2015-09-26T08:51:59Z urn:sha1:d3cfdfb508c191278761711f0ce91b789d65b37c