August 6, 2024
Django 5.0.8 fixes three security issues with severity „moderate”, one security issue with severity „high”, and several bugs in 5.0.7.
django.utils.numberformat.floatformat()¶If floatformat received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.
To avoid this, decimals with more than 200 digits are now returned as is.
django.utils.html.urlize()¶urlize and urlizetrunc were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
django.utils.html.urlize() and AdminURLFieldWidget¶urlize, urlizetrunc, and AdminURLFieldWidget were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
QuerySet.values() and values_list()¶QuerySet.values() and values_list() methods on models
with a JSONField were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed *arg.
UniqueConstraint(nulls_distinct=False) when
using *expressions (#35594).ModelAdmin.action_checkbox could
break the admin changelist HTML page when rendering a model instance with a
__html__ method (#35606).Field.db_default and a
Meta.constraints constraint composed of __endswith, __startswith,
or __contains lookups (#35625).LocaleMiddleware when processing a language code over 500 characters
(#35627).ModelAdmin.date_hierarchy was a GeneratedField with an
output_field of DateField or DateTimeField (#35628).Field.db_default (#35638).FileField
with a db_default set (#35657).sie 06, 2024