Django

============================

*February 3, 2020*

Django 1.11.28 fixes a security issue in 1.11.27.

CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
===================================================================

:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
subject to SQL injection, using a suitably crafted ``delimiter``.


============================

============================

*December 18, 2019*

Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.

CVE-2019-19844: Potential account hijack via password reset form
================================================================

By submitting a suitably crafted email address making use of Unicode
characters, that compared equal to an existing user email when lower-cased for
comparison, an attacker could be sent a password reset token for the matched
account.

In order to avoid this vulnerability, password reset requests now compare the
submitted email using the stricter, recommended algorithm for case-insensitive
comparison of two identifiers from `Unicode Technical Report 36, section
2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
sent to the email address on record rather than the submitted address.

.. __: https://www.unicode.org/reports/tr36/#Recommendations_General

Bugfixes
========

* Fixed a data loss possibility in
:class:`~django.contrib.postgres.forms.SplitArrayField`. When using with
``ArrayField(BooleanField())``, all values after the first ``True`` value
were marked as checked instead of preserving passed values (:ticket:`31073`).


============================

============================

*November 4, 2019*

Django 1.11.26 fixes a regression in 1.11.25.

Bugfixes
========

* Fixed a crash when using a ``contains``, ``contained_by``, ``has_key``,
``has_keys``, or ``has_any_keys`` lookup on
``django.contrib.postgres.fields.JSONField``, if the right or left hand
side of an expression is a key transform (:ticket:`30826`).


============================

============================

*October 1, 2019*

Django 1.11.25 fixes a regression in 1.11.23.

Bugfixes
========

* Fixed a crash when filtering with a ``Subquery()`` annotation of a queryset
containing ``django.contrib.postgres.fields.JSONField`` or
:class:`~django.contrib.postgres.fields.HStoreField` (:ticket:`30769`).


============================

============================

*September 2, 2019*

Django 1.11.24 fixes a regression in 1.11.23.

Bugfixes
========

* Fixed crash of ``KeyTransform()`` for
``django.contrib.postgres.fields.JSONField`` and
:class:`~django.contrib.postgres.fields.HStoreField` when using on
expressions with params (:ticket:`30672`).


============================

============================

*August 1, 2019*

Django 1.11.23 fixes security issues in 1.11.22.

CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
================================================================================

If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
were passed the ``html=True`` argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
filters, which were thus vulnerable.

The regular expressions used by ``Truncator`` have been simplified in order to
avoid potential backtracking issues. As a consequence, trailing punctuation may
now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``
=================================================================

Due to the behavior of the underlying ``HTMLParser``,
:func:`django.utils.html.strip_tags` would be extremely slow to evaluate
certain inputs containing large sequences of nested incomplete HTML entities.
The ``strip_tags()`` method is used to implement the corresponding
:tfilter:`striptags` template filter, which was thus also vulnerable.

``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress
removing tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
``strip_tags()`` call without escaping it first, for example with
:func:`django.utils.html.escape`.

CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``
====================================================================================================

:lookup:`Key and index lookups <jsonfield.key>` for
``django.contrib.postgres.fields.JSONField`` and :lookup:`key lookups
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
were subject to SQL injection, using a suitably crafted dictionary, with
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.

CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``
=====================================================================================

If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
to significant memory usage due to excessive recursion when re-percent-encoding
invalid UTF-8 octet sequences.

``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
octet sequences.


============================