Notes de publication de Django 5.0.8

August 6, 2024

Django 5.0.8 corrige trois problèmes de sécurité de sévérité moyenne, un problème de sécurité de sévérité élevée ainsi que plusieurs bogues dans 5.0.7.

CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()

If floatformat received a string representation of a number in scientific notation with a large exponent, it could lead to significant memory consumption.

To avoid this, decimals with more than 200 digits are now returned as is.

CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize()

urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget

urlize, urlizetrunc, and AdminURLFieldWidget were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()

QuerySet.values() and values_list() methods on models with a JSONField were subject to SQL injection in column aliases, via a crafted JSON object key as a passed *arg.

Correction de bogues

  • Ajout de validation manquante dans UniqueConstraint(nulls_distinct=False) lors de l’utilisation d”*expressions (#35594).

  • Correction d’une régression dans Django 5.0 où ModelAdmin.action_checkbox pouvait casser la page HTML de liste pour modifications du site d’administration lors du rendu d’une instance de modèle ayant une méthode __html__ (#35606).

  • Fixed a crash when creating a model with a Field.db_default and a Meta.constraints constraint composed of __endswith, __startswith, or __contains lookups (#35625).

  • Fixed a regression in Django 5.0.7 that caused a crash in LocaleMiddleware when processing a language code over 500 characters (#35627).

  • Fixed a bug in Django 5.0 that caused a system check crash when ModelAdmin.date_hierarchy was a GeneratedField with an output_field of DateField or DateTimeField (#35628).

  • Fixed a bug in Django 5.0 which caused constraint validation to either crash or incorrectly raise validation errors for constraints referring to fields using Field.db_default (#35638).

  • Fixed a crash in Django 5.0 when saving a model containing a FileField with a db_default set (#35657).