diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2023-09-19 09:51:48 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2023-10-04 09:22:26 -0300 |
| commit | 17b51094d778b421bb2b3aae0c270894b050455d (patch) | |
| tree | fe06719d14fd28723ed22c2ff90035d47a8faca6 /docs/releases/4.2.6.txt | |
| parent | 1dae65dc63ae84be5002c37b4ddae0b9220e8808 (diff) | |
Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
Thanks Wenchao Li of Alibaba Group for the report.
Diffstat (limited to 'docs/releases/4.2.6.txt')
| -rw-r--r-- | docs/releases/4.2.6.txt | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/docs/releases/4.2.6.txt b/docs/releases/4.2.6.txt index 31929468a6..9b99d8c622 100644 --- a/docs/releases/4.2.6.txt +++ b/docs/releases/4.2.6.txt @@ -7,6 +7,24 @@ Django 4.2.6 release notes Django 4.2.6 fixes a security issue with severity "moderate" and several bugs in 4.2.5. +CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator`` +================================================================================ + +Following the fix for :cve:`2019-14232`, the regular expressions used in the +implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` +methods (with ``html=True``) were revised and improved. However, these regular +expressions still exhibited linear backtracking complexity, so when given a +very long, potentially malformed HTML input, the evaluation would still be +slow, leading to a potential denial of service vulnerability. + +The ``chars()`` and ``words()`` methods are used to implement the +:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template +filters, which were thus also vulnerable. + +The input processed by ``Truncator``, when operating in HTML mode, has been +limited to the first five million characters in order to avoid potential +performance and memory issues. + Bugfixes ======== |