summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2014-12-11 08:31:03 -0500
committerTim Graham <timograham@gmail.com>2015-01-13 13:02:56 -0500
commitbcfb47780ce7caecb409a9e9c1c314266e41d392 (patch)
tree9ad5d945cdfe229070436d0e30c6078f8f454f7b /docs
parent818e59a3f0fbadf6c447754d202d88df025f8f2a (diff)
[1.7.x] Fixed DoS possibility in ModelMultipleChoiceField.
This is a security fix. Disclosure following shortly. Thanks Keryn Knight for the report and initial patch.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.6.10.txt9
-rw-r--r--docs/releases/1.7.3.txt9
-rw-r--r--docs/spelling_wordlist1
3 files changed, 19 insertions, 0 deletions
diff --git a/docs/releases/1.6.10.txt b/docs/releases/1.6.10.txt
index 20aa595b77..5b8f0cdec3 100644
--- a/docs/releases/1.6.10.txt
+++ b/docs/releases/1.6.10.txt
@@ -58,3 +58,12 @@ Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid. Now
may be a good time to audit your project and serve your files in production
using a real front-end web server if you are not doing so.
+
+Database denial-of-service with ``ModelMultipleChoiceField``
+============================================================
+
+Given a form that uses ``ModelMultipleChoiceField`` and
+``show_hidden_initial=True`` (not a documented API), it was possible for a user
+to cause an unreasonable number of SQL queries by submitting duplicate values
+for the field's data. The validation logic in ``ModelMultipleChoiceField`` now
+deduplicates submitted values to address this issue.
diff --git a/docs/releases/1.7.3.txt b/docs/releases/1.7.3.txt
index 2da43658f8..234099590b 100644
--- a/docs/releases/1.7.3.txt
+++ b/docs/releases/1.7.3.txt
@@ -59,6 +59,15 @@ hardened for production use and should be used only as a development aid. Now
may be a good time to audit your project and serve your files in production
using a real front-end web server if you are not doing so.
+Database denial-of-service with ``ModelMultipleChoiceField``
+============================================================
+
+Given a form that uses ``ModelMultipleChoiceField`` and
+``show_hidden_initial=True`` (not a documented API), it was possible for a user
+to cause an unreasonable number of SQL queries by submitting duplicate values
+for the field's data. The validation logic in ``ModelMultipleChoiceField`` now
+deduplicates submitted values to address this issue.
+
Bugfixes
========
diff --git a/docs/spelling_wordlist b/docs/spelling_wordlist
index 23465d2f4e..da7ce09d29 100644
--- a/docs/spelling_wordlist
+++ b/docs/spelling_wordlist
@@ -134,6 +134,7 @@ dbshell
de
deconstruct
deconstructing
+deduplicates
deepcopy
deserialization
deserialize