August 1, 2019
Django 2.2.4 fixes security issues and several bugs in 2.2.3.
django.utils.text.Truncator¶If django.utils.text.Truncator’s chars() and words() methods
were passed the html=True argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression. The chars() and words() methods are used to implement the
truncatechars_html and truncatewords_html template
filters, which were thus vulnerable.
The regular expressions used by Truncator have been simplified in order to
avoid potential backtracking issues. As a consequence, trailing punctuation may
now at times be included in the truncated output.
JSONField/HStoreField¶Key and index lookups for
JSONField and key lookups for HStoreField
were subject to SQL injection, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to QuerySet.filter().
django.utils.encoding.uri_to_iri()¶If passed certain inputs, django.utils.encoding.uri_to_iri() could lead
to significant memory usage due to excessive recursion when re-percent-encoding
invalid UTF-8 octet sequences.
uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8
octet sequences.
Fixed a regression in Django 2.2 when ordering a QuerySet.union(),
intersection(), or difference() by a field type present more than
once results in the wrong ordering being used (#30628).
Fixed a migration crash on PostgreSQL when adding a check constraint
with a contains lookup on
DateRangeField or
DateTimeRangeField, if the right
hand side of an expression is the same type (#30621).
Fixed a regression in Django 2.2 where auto-reloader crashes if a file path
contains nulls characters ('\x00') (#30506).
Fixed a regression in Django 2.2 where auto-reloader crashes if a translation directory cannot be resolved (#30647).
Dec 25, 2023