diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-06-26 12:11:54 +0200 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2024-07-09 10:03:38 -0300 |
| commit | 8e7a44e4bec0f11474699c3111a5e0a45afe7f49 (patch) | |
| tree | 911f421002435414196ef6df8a8b761ccf1350f7 /docs/releases/4.2.14.txt | |
| parent | 9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270 (diff) | |
[5.0.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant().
Language codes are now parsed with a maximum length limit of 500 chars.
Thanks to MProgrammer for the report.
Diffstat (limited to 'docs/releases/4.2.14.txt')
| -rw-r--r-- | docs/releases/4.2.14.txt | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/docs/releases/4.2.14.txt b/docs/releases/4.2.14.txt index dc20cd9f28..08523e27fd 100644 --- a/docs/releases/4.2.14.txt +++ b/docs/releases/4.2.14.txt @@ -32,3 +32,18 @@ directory-traversal via certain inputs when calling :meth:`save() <django.core.files.storage.Storage.save()>`. Built-in ``Storage`` sub-classes were not affected by this vulnerability. + +CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()`` +================================================================================================= + +:meth:`~django.utils.translation.get_supported_language_variant` was subject to +a potential denial-of-service attack when used with very long strings +containing specific characters. + +To mitigate this vulnerability, the language code provided to +:meth:`~django.utils.translation.get_supported_language_variant` is now parsed +up to a maximum length of 500 characters. + +When the language code is over 500 characters, a :exc:`ValueError` will now be +raised if ``strict`` is ``True``, or if there is no generic variant and +``strict`` is ``False``. |