Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML.

Thanks to Guido Vranken for initial report.
author: Florian Apolloner <florian@apolloner.eu> 2019-07-15 11:46:09 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2019-08-01 09:24:54 +0200
commit: 7f65974f8219729c047fbbf8cd5cc9d80faefe77 (patch)
tree: 75306bbf491c52e18bd2216403f9e8cccd9654c3 /docs/releases/2.2.4.txt
parent: eea0bf7bd58cda4618ecc10133f0ad09effe1a2e (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/2.2.4.txt b/docs/releases/2.2.4.txt
index 59c05bf0e2..b22aa42482 100644
--- a/docs/releases/2.2.4.txt
+++ b/docs/releases/2.2.4.txt
@@ -6,6 +6,20 @@ Django 2.2.4 release notes
 
 Django 2.2.4 fixes security issues and several bugs in 2.2.3.
 
+CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
+================================================================================
+
+If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
+were passed the ``html=True`` argument, they were extremely slow to evaluate
+certain inputs due to a catastrophic backtracking vulnerability in a regular
+expression. The ``chars()`` and ``words()`` methods are used to implement the
+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
+filters, which were thus vulnerable.
+
+The regular expressions used by ``Truncator`` have been simplified in order to
+avoid potential backtracking issues. As a consequence, trailing punctuation may
+now at times be included in the truncated output.
+
 Bugfixes
 ========
author	Florian Apolloner <florian@apolloner.eu>	2019-07-15 11:46:09 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2019-08-01 09:24:54 +0200
commit	7f65974f8219729c047fbbf8cd5cc9d80faefe77 (patch)
tree	75306bbf491c52e18bd2216403f9e8cccd9654c3 /docs/releases/2.2.4.txt
parent	eea0bf7bd58cda4618ecc10133f0ad09effe1a2e (diff)