summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorShai Berger <shai@platonix.com>2015-06-30 01:09:21 +0300
committerTim Graham <timograham@gmail.com>2015-07-08 15:23:19 -0400
commit8f9a4d3a2bc42f14bb437defd30c7315adbff22c (patch)
tree00552e5bf72b45186b14aadc17aa63e2073e6617 /docs
parent574dd5e0b0fbb877ae5827b1603d298edc9bb2a0 (diff)
[1.8.x] Fixed catastrophic backtracking in URLValidator.
Thanks João Silva for reporting the problem and Tim Graham for finding the problematic RE and for review. This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.8.3.txt7
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/releases/1.8.3.txt b/docs/releases/1.8.3.txt
index 5c6301274b..5e01a131a2 100644
--- a/docs/releases/1.8.3.txt
+++ b/docs/releases/1.8.3.txt
@@ -60,6 +60,13 @@ The undocumented, internally unused ``validate_integer()`` function is now
stricter as it validates using a regular expression instead of simply casting
the value using ``int()`` and checking if an exception was raised.
+Denial-of-service possibility in URL validation
+===============================================
+
+:class:`~django.core.validators.URLValidator` included a regular expression
+that was extremely slow to evaluate against certain invalid inputs. This regular
+expression has been simplified and optimized.
+
Bugfixes
========