Fixed DoS possibility in ModelMultipleChoiceField.

This is a security fix. Disclosure following shortly.

Thanks Keryn Knight for the report and initial patch.

docs/releases/1.6.10.txt

@@ -58,3 +58,12 @@ Note, however, that this view has always carried a warning that it is not
 hardened for production use and should be used only as a development aid. Now
 may be a good time to audit your project and serve your files in production
 using a real front-end web server if you are not doing so.
+
+Database denial-of-service with ``ModelMultipleChoiceField``
+============================================================
+
+Given a form that uses ``ModelMultipleChoiceField`` and
+``show_hidden_initial=True`` (not a documented API), it was possible for a user
+to cause an unreasonable number of SQL queries by submitting duplicate values
+for the field's data. The validation logic in ``ModelMultipleChoiceField`` now
+deduplicates submitted values to address this issue.

docs/releases/1.7.3.txt

@@ -59,6 +59,15 @@ hardened for production use and should be used only as a development aid. Now
 may be a good time to audit your project and serve your files in production
 using a real front-end web server if you are not doing so.
 
+Database denial-of-service with ``ModelMultipleChoiceField``
+============================================================
+
+Given a form that uses ``ModelMultipleChoiceField`` and
+``show_hidden_initial=True`` (not a documented API), it was possible for a user
+to cause an unreasonable number of SQL queries by submitting duplicate values
+for the field's data. The validation logic in ``ModelMultipleChoiceField`` now
+deduplicates submitted values to address this issue.
+
 Bugfixes
 ========
 

docs/spelling_wordlist

@@ -138,6 +138,7 @@ de
 Debian
 deconstruct
 deconstructing
+deduplicates
 deepcopy
 deserialization
 deserialize