mirror of
https://github.com/django/django.git
synced 2025-06-28 06:49:12 +00:00
0b42f6a528
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
33 lines
1.2 KiB
Plaintext
33 lines
1.2 KiB
Plaintext
===========================
|
|
Django 4.2.21 release notes
|
|
===========================
|
|
|
|
*Expected May 7, 2025*
|
|
|
|
Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug,
|
|
and a regression in 4.2.20.
|
|
|
|
CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
|
|
=================================================================
|
|
|
|
:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
|
|
containing large sequences of incomplete HTML tags. This function is used to
|
|
implement the :tfilter:`striptags` template filter, which was thus also
|
|
vulnerable.
|
|
|
|
:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
|
|
exception if it encounters an unusually large number of unclosed opening tags.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a data corruption possibility in ``file_move_safe()`` when
|
|
``allow_overwrite=True``, where leftover content from a previously larger
|
|
file could remain after overwriting with a smaller one due to lack of
|
|
truncation (:ticket:`36298`).
|
|
|
|
* Fixed a regression in Django 4.2.20, introduced when fixing
|
|
:cve:`2025-26699`, where the :tfilter:`wordwrap` template filter did not
|
|
preserve empty lines between paragraphs after wrapping text
|
|
(:ticket:`36341`).
|