Safety vulnerability ID: 39593
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Django 1.11.23, 2.1.11, and 2.2.4 include a fix for CVE-2019-14233: Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
Latest version: 5.1.4
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
==========================*August 1, 2019*Django 2.2.4 fixes security issues and several bugs in 2.2.3.CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``================================================================================If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methodswere passed the ``html=True`` argument, they were extremely slow to evaluatecertain inputs due to a catastrophic backtracking vulnerability in a regularexpression. The ``chars()`` and ``words()`` methods are used to implement the:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` templatefilters, which were thus vulnerable.The regular expressions used by ``Truncator`` have been simplified in order toavoid potential backtracking issues. As a consequence, trailing punctuation maynow at times be included in the truncated output.CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``=================================================================Due to the behavior of the underlying ``HTMLParser``,:func:`django.utils.html.strip_tags` would be extremely slow to evaluatecertain inputs containing large sequences of nested incomplete HTML entities.The ``strip_tags()`` method is used to implement the corresponding:tfilter:`striptags` template filter, which was thus also vulnerable.``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progressremoving tags, but necessarily incomplete HTML entities, stops being made.Remember that absolutely NO guarantee is provided about the results of``strip_tags()`` being HTML safe. So NEVER mark safe the result of a``strip_tags()`` call without escaping it first, for example with:func:`django.utils.html.escape`.CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``====================================================================================================:lookup:`Key and index lookups <jsonfield.key>` for:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`were subject to SQL injection, using a suitably crafted dictionary, withdictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``=====================================================================================If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could leadto significant memory usage due to excessive recursion when re-percent-encodinginvalid UTF-8 octet sequences.``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8octet sequences.Bugfixes========* Fixed a regression in Django 2.2 when ordering a ``QuerySet.union()``, ``intersection()``, or ``difference()`` by a field type present more than once results in the wrong ordering being used (:ticket:`30628`).* Fixed a migration crash on PostgreSQL when adding a check constraint with a ``contains`` lookup on :class:`~django.contrib.postgres.fields.DateRangeField` or :class:`~django.contrib.postgres.fields.DateTimeRangeField`, if the right hand side of an expression is the same type (:ticket:`30621`).* Fixed a regression in Django 2.2 where auto-reloader crashes if a file path contains nulls characters (``'x00'``) (:ticket:`30506`).* Fixed a regression in Django 2.2 where auto-reloader crashes if a translation directory cannot be resolved (:ticket:`30647`).==========================
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application