[2.2.x] Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri().

Thanks to Guido Vranken for initial report.
author: Florian Apolloner <florian@apolloner.eu> 2019-07-19 17:04:53 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2019-07-29 11:06:54 +0200
commit: cf694e6852b0da7799f8b53f1fb2f7d20cf17534 (patch)
tree: 54a6364a37c9bd1626cc393592b30b9daaf8350e /docs/releases/2.2.4.txt
parent: 4f5b58f5cd3c57fee9972ab074f8dc6895d8f387 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/releases/2.2.4.txt b/docs/releases/2.2.4.txt
index 3aac51869c..8a71fec783 100644
--- a/docs/releases/2.2.4.txt
+++ b/docs/releases/2.2.4.txt
@@ -46,6 +46,16 @@ CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONFie
 were subject to SQL injection, using a suitably crafted dictionary, with
 dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
 
+CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``
+=====================================================================================
+
+If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
+to significant memory usage due to excessive recursion when re-percent-encoding
+invalid UTF-8 octet sequences.
+
+``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
+octet sequences.
+
 Bugfixes
 ========
author	Florian Apolloner <florian@apolloner.eu>	2019-07-19 17:04:53 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2019-07-29 11:06:54 +0200
commit	cf694e6852b0da7799f8b53f1fb2f7d20cf17534 (patch)
tree	54a6364a37c9bd1626cc393592b30b9daaf8350e /docs/releases/2.2.4.txt
parent	4f5b58f5cd3c57fee9972ab074f8dc6895d8f387 (diff)