summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-06-26 12:11:54 +0200
committerNatalia <124304+nessita@users.noreply.github.com>2024-07-09 10:40:50 -0300
commit17358fb35fb7217423d4c4877ccb6d1a3a40b1c3 (patch)
treee802672709dcf881b3cd1cabb980e396467d6242 /docs
parent2b00edc0151a660d1eb86da4059904a0fc4e095e (diff)
[4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant().
Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/utils.txt10
-rw-r--r--docs/releases/4.2.14.txt15
2 files changed, 25 insertions, 0 deletions
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index b2b826684d..471a4b31eb 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -1155,6 +1155,11 @@ For a complete discussion on the usage of the following see the
``lang_code`` is ``'es-ar'`` and ``'es'`` is in :setting:`LANGUAGES` but
``'es-ar'`` isn't.
+ ``lang_code`` has a maximum accepted length of 500 characters. A
+ :exc:`ValueError` is raised if ``lang_code`` exceeds this limit and
+ ``strict`` is ``True``, or if there is no generic variant and ``strict``
+ is ``False``.
+
If ``strict`` is ``False`` (the default), a country-specific variant may
be returned when neither the language code nor its generic variant is found.
For example, if only ``'es-co'`` is in :setting:`LANGUAGES`, that's
@@ -1163,6 +1168,11 @@ For a complete discussion on the usage of the following see the
Raises :exc:`LookupError` if nothing is found.
+ .. versionchanged:: 4.2.14
+
+ In older versions, ``lang_code`` values over 500 characters were
+ processed without raising a :exc:`ValueError`.
+
.. function:: to_locale(language)
Turns a language name (en-us) into a locale name (en_US).
diff --git a/docs/releases/4.2.14.txt b/docs/releases/4.2.14.txt
index dc20cd9f28..08523e27fd 100644
--- a/docs/releases/4.2.14.txt
+++ b/docs/releases/4.2.14.txt
@@ -32,3 +32,18 @@ directory-traversal via certain inputs when calling :meth:`save()
<django.core.files.storage.Storage.save()>`.
Built-in ``Storage`` sub-classes were not affected by this vulnerability.
+
+CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
+=================================================================================================
+
+:meth:`~django.utils.translation.get_supported_language_variant` was subject to
+a potential denial-of-service attack when used with very long strings
+containing specific characters.
+
+To mitigate this vulnerability, the language code provided to
+:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
+up to a maximum length of 500 characters.
+
+When the language code is over 500 characters, a :exc:`ValueError` will now be
+raised if ``strict`` is ``True``, or if there is no generic variant and
+``strict`` is ``False``.