diff options
| author | Tim Graham <timograham@gmail.com> | 2014-12-11 08:31:03 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-01-13 13:02:56 -0500 |
| commit | bcfb47780ce7caecb409a9e9c1c314266e41d392 (patch) | |
| tree | 9ad5d945cdfe229070436d0e30c6078f8f454f7b /docs | |
| parent | 818e59a3f0fbadf6c447754d202d88df025f8f2a (diff) | |
[1.7.x] Fixed DoS possibility in ModelMultipleChoiceField.
This is a security fix. Disclosure following shortly.
Thanks Keryn Knight for the report and initial patch.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.6.10.txt | 9 | ||||
| -rw-r--r-- | docs/releases/1.7.3.txt | 9 | ||||
| -rw-r--r-- | docs/spelling_wordlist | 1 |
3 files changed, 19 insertions, 0 deletions
diff --git a/docs/releases/1.6.10.txt b/docs/releases/1.6.10.txt index 20aa595b77..5b8f0cdec3 100644 --- a/docs/releases/1.6.10.txt +++ b/docs/releases/1.6.10.txt @@ -58,3 +58,12 @@ Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Now may be a good time to audit your project and serve your files in production using a real front-end web server if you are not doing so. + +Database denial-of-service with ``ModelMultipleChoiceField`` +============================================================ + +Given a form that uses ``ModelMultipleChoiceField`` and +``show_hidden_initial=True`` (not a documented API), it was possible for a user +to cause an unreasonable number of SQL queries by submitting duplicate values +for the field's data. The validation logic in ``ModelMultipleChoiceField`` now +deduplicates submitted values to address this issue. diff --git a/docs/releases/1.7.3.txt b/docs/releases/1.7.3.txt index 2da43658f8..234099590b 100644 --- a/docs/releases/1.7.3.txt +++ b/docs/releases/1.7.3.txt @@ -59,6 +59,15 @@ hardened for production use and should be used only as a development aid. Now may be a good time to audit your project and serve your files in production using a real front-end web server if you are not doing so. +Database denial-of-service with ``ModelMultipleChoiceField`` +============================================================ + +Given a form that uses ``ModelMultipleChoiceField`` and +``show_hidden_initial=True`` (not a documented API), it was possible for a user +to cause an unreasonable number of SQL queries by submitting duplicate values +for the field's data. The validation logic in ``ModelMultipleChoiceField`` now +deduplicates submitted values to address this issue. + Bugfixes ======== diff --git a/docs/spelling_wordlist b/docs/spelling_wordlist index 23465d2f4e..da7ce09d29 100644 --- a/docs/spelling_wordlist +++ b/docs/spelling_wordlist @@ -134,6 +134,7 @@ dbshell de deconstruct deconstructing +deduplicates deepcopy deserialization deserialize |
