summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2019-07-15 11:46:09 +0200
committerCarlton Gibson <carlton.gibson@noumenal.es>2019-07-29 11:09:18 +0200
commitc23723a1551340cc7d3126f04fcfd178fa224193 (patch)
tree81336da419e3bf9b62843fc7a17872b180558646 /docs
parent24eba901eb9795ee87eddd5447ede62053fe59d4 (diff)
[2.1.X] Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML.
Thanks to Guido Vranken for initial report.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.11.23.txt14
-rw-r--r--docs/releases/2.1.11.txt14
2 files changed, 28 insertions, 0 deletions
diff --git a/docs/releases/1.11.23.txt b/docs/releases/1.11.23.txt
index 9a3ab7cbc9..6058bb8a81 100644
--- a/docs/releases/1.11.23.txt
+++ b/docs/releases/1.11.23.txt
@@ -5,3 +5,17 @@ Django 1.11.23 release notes
*August 1, 2019*
Django 1.11.23 fixes security issues in 1.11.22.
+
+CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
+================================================================================
+
+If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
+were passed the ``html=True`` argument, they were extremely slow to evaluate
+certain inputs due to a catastrophic backtracking vulnerability in a regular
+expression. The ``chars()`` and ``words()`` methods are used to implement the
+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
+filters, which were thus vulnerable.
+
+The regular expressions used by ``Truncator`` have been simplified in order to
+avoid potential backtracking issues. As a consequence, trailing punctuation may
+now at times be included in the truncated output.
diff --git a/docs/releases/2.1.11.txt b/docs/releases/2.1.11.txt
index b8098334e1..f4ee3dbd30 100644
--- a/docs/releases/2.1.11.txt
+++ b/docs/releases/2.1.11.txt
@@ -5,3 +5,17 @@ Django 2.1.11 release notes
*August 1, 2019*
Django 2.1.11 fixes security issues in 2.1.10.
+
+CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
+================================================================================
+
+If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
+were passed the ``html=True`` argument, they were extremely slow to evaluate
+certain inputs due to a catastrophic backtracking vulnerability in a regular
+expression. The ``chars()`` and ``words()`` methods are used to implement the
+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
+filters, which were thus vulnerable.
+
+The regular expressions used by ``Truncator`` have been simplified in order to
+avoid potential backtracking issues. As a consequence, trailing punctuation may
+now at times be included in the truncated output.