summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2014-12-11 08:31:03 -0500
committerTim Graham <timograham@gmail.com>2015-01-13 13:03:06 -0500
commitbaf2542c4f502d8f5adc3704eb22ca237d50aee1 (patch)
tree660e5573bbf616ba23ece50c7e7d4f0a098e8b1e /docs
parenta3bebfdc34686622b91e7f3154390ca2058957f9 (diff)
Fixed DoS possibility in ModelMultipleChoiceField.
This is a security fix. Disclosure following shortly. Thanks Keryn Knight for the report and initial patch.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.6.10.txt9
-rw-r--r--docs/releases/1.7.3.txt9
-rw-r--r--docs/spelling_wordlist1
3 files changed, 19 insertions, 0 deletions
diff --git a/docs/releases/1.6.10.txt b/docs/releases/1.6.10.txt
index 20aa595b77..5b8f0cdec3 100644
--- a/docs/releases/1.6.10.txt
+++ b/docs/releases/1.6.10.txt
@@ -58,3 +58,12 @@ Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid. Now
may be a good time to audit your project and serve your files in production
using a real front-end web server if you are not doing so.
+
+Database denial-of-service with ``ModelMultipleChoiceField``
+============================================================
+
+Given a form that uses ``ModelMultipleChoiceField`` and
+``show_hidden_initial=True`` (not a documented API), it was possible for a user
+to cause an unreasonable number of SQL queries by submitting duplicate values
+for the field's data. The validation logic in ``ModelMultipleChoiceField`` now
+deduplicates submitted values to address this issue.
diff --git a/docs/releases/1.7.3.txt b/docs/releases/1.7.3.txt
index 2da43658f8..234099590b 100644
--- a/docs/releases/1.7.3.txt
+++ b/docs/releases/1.7.3.txt
@@ -59,6 +59,15 @@ hardened for production use and should be used only as a development aid. Now
may be a good time to audit your project and serve your files in production
using a real front-end web server if you are not doing so.
+Database denial-of-service with ``ModelMultipleChoiceField``
+============================================================
+
+Given a form that uses ``ModelMultipleChoiceField`` and
+``show_hidden_initial=True`` (not a documented API), it was possible for a user
+to cause an unreasonable number of SQL queries by submitting duplicate values
+for the field's data. The validation logic in ``ModelMultipleChoiceField`` now
+deduplicates submitted values to address this issue.
+
Bugfixes
========
diff --git a/docs/spelling_wordlist b/docs/spelling_wordlist
index 008da9fe93..7efc687e17 100644
--- a/docs/spelling_wordlist
+++ b/docs/spelling_wordlist
@@ -138,6 +138,7 @@ de
Debian
deconstruct
deconstructing
+deduplicates
deepcopy
deserialization
deserialize