diff options
| author | Tim Graham <timograham@gmail.com> | 2014-12-11 08:31:03 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-01-13 13:03:06 -0500 |
| commit | baf2542c4f502d8f5adc3704eb22ca237d50aee1 (patch) | |
| tree | 660e5573bbf616ba23ece50c7e7d4f0a098e8b1e /docs | |
| parent | a3bebfdc34686622b91e7f3154390ca2058957f9 (diff) | |
Fixed DoS possibility in ModelMultipleChoiceField.
This is a security fix. Disclosure following shortly.
Thanks Keryn Knight for the report and initial patch.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.6.10.txt | 9 | ||||
| -rw-r--r-- | docs/releases/1.7.3.txt | 9 | ||||
| -rw-r--r-- | docs/spelling_wordlist | 1 |
3 files changed, 19 insertions, 0 deletions
diff --git a/docs/releases/1.6.10.txt b/docs/releases/1.6.10.txt index 20aa595b77..5b8f0cdec3 100644 --- a/docs/releases/1.6.10.txt +++ b/docs/releases/1.6.10.txt @@ -58,3 +58,12 @@ Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Now may be a good time to audit your project and serve your files in production using a real front-end web server if you are not doing so. + +Database denial-of-service with ``ModelMultipleChoiceField`` +============================================================ + +Given a form that uses ``ModelMultipleChoiceField`` and +``show_hidden_initial=True`` (not a documented API), it was possible for a user +to cause an unreasonable number of SQL queries by submitting duplicate values +for the field's data. The validation logic in ``ModelMultipleChoiceField`` now +deduplicates submitted values to address this issue. diff --git a/docs/releases/1.7.3.txt b/docs/releases/1.7.3.txt index 2da43658f8..234099590b 100644 --- a/docs/releases/1.7.3.txt +++ b/docs/releases/1.7.3.txt @@ -59,6 +59,15 @@ hardened for production use and should be used only as a development aid. Now may be a good time to audit your project and serve your files in production using a real front-end web server if you are not doing so. +Database denial-of-service with ``ModelMultipleChoiceField`` +============================================================ + +Given a form that uses ``ModelMultipleChoiceField`` and +``show_hidden_initial=True`` (not a documented API), it was possible for a user +to cause an unreasonable number of SQL queries by submitting duplicate values +for the field's data. The validation logic in ``ModelMultipleChoiceField`` now +deduplicates submitted values to address this issue. + Bugfixes ======== diff --git a/docs/spelling_wordlist b/docs/spelling_wordlist index 008da9fe93..7efc687e17 100644 --- a/docs/spelling_wordlist +++ b/docs/spelling_wordlist @@ -138,6 +138,7 @@ de Debian deconstruct deconstructing +deduplicates deepcopy deserialization deserialize |
