Django 4.2.6 release notes
October 4, 2023
Django 4.2.6 fixes a security issue with severity “moderate” and several bugs in 4.2.5.
CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator
Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator
‘s chars()
and words()
methods (with html=True
) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability.
The chars()
and words()
methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable.
The input processed by Truncator
, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues.
漏洞修复
Fixed a regression in Django 4.2.5 where overriding the deprecated
DEFAULT_FILE_STORAGE
andSTATICFILES_STORAGE
settings in tests caused the mainSTORAGES
to mutate (#34821).Fixed a regression in Django 4.2 that caused unnecessary casting of string based fields (
CharField
,EmailField
,TextField
,CICharField
,CIEmailField
, andCITextField
) used with the__isnull
lookup on PostgreSQL. As a consequence, indexes using an__isnull
expression or condition created before Django 4.2 wouldn’t be used by the query planner, leading to a performance regression (#34840).You may need to recreate such indexes created in your database with Django 4.2 to 4.2.5, as they contain unnecessary
::text
casting. Find candidate indexes with this query:SELECT indexname, indexdef
FROM pg_indexes
WHERE indexdef LIKE '%::text IS %NULL';