August 6, 2024
Django 5.0.8 fixes three security issues with severity "moderate", one security issue with severity "high", and several bugs in 5.0.7.
django.utils.numberformat.floatformat()
¶If floatformat
received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.
To avoid this, decimals with more than 200 digits are now returned as is.
django.utils.html.urlize()
¶urlize
and urlizetrunc
were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
django.utils.html.urlize()
and AdminURLFieldWidget
¶urlize
, urlizetrunc
, and AdminURLFieldWidget
were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
QuerySet.values()
and values_list()
¶QuerySet.values()
and values_list()
methods on models
with a JSONField
were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed *arg
.
UniqueConstraint(nulls_distinct=False)
when
using *expressions
(#35594).ModelAdmin.action_checkbox
could
break the admin changelist HTML page when rendering a model instance with a
__html__
method (#35606).Field.db_default
and a
Meta.constraints
constraint composed of __endswith
, __startswith
,
or __contains
lookups (#35625).LocaleMiddleware
when processing a language code over 500 characters
(#35627).ModelAdmin.date_hierarchy
was a GeneratedField
with an
output_field
of DateField
or DateTimeField
(#35628).Field.db_default
(#35638).FileField
with a db_default
set (#35657).9月 16, 2024