Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri().

Thanks to Guido Vranken for initial report.
author: Florian Apolloner <florian@apolloner.eu> 2019-07-19 17:04:53 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2019-08-01 09:24:54 +0200
commit: 76ed1c49f804d409cfc2911a890c78584db3c76e (patch)
tree: 5ef2a16f5ed2daff97c3d1c40e0d6c7134edfb30 /docs/releases/2.2.4.txt
parent: 7deeabc7c7526786df6894429ce89a9c4b614086 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/releases/2.2.4.txt b/docs/releases/2.2.4.txt
index 3aac51869c..8a71fec783 100644
--- a/docs/releases/2.2.4.txt
+++ b/docs/releases/2.2.4.txt
@@ -46,6 +46,16 @@ CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONFie
 were subject to SQL injection, using a suitably crafted dictionary, with
 dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
 
+CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``
+=====================================================================================
+
+If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
+to significant memory usage due to excessive recursion when re-percent-encoding
+invalid UTF-8 octet sequences.
+
+``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
+octet sequences.
+
 Bugfixes
 ========
author	Florian Apolloner <florian@apolloner.eu>	2019-07-19 17:04:53 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2019-08-01 09:24:54 +0200
commit	76ed1c49f804d409cfc2911a890c78584db3c76e (patch)
tree	5ef2a16f5ed2daff97c3d1c40e0d6c7134edfb30 /docs/releases/2.2.4.txt
parent	7deeabc7c7526786df6894429ce89a9c4b614086 (diff)