October 4, 2023
Django 4.1.12 fixes a security issue with severity “moderate” in 4.1.11.
UsernameField on Windows¶The NFKC normalization is slow on
Windows. As a consequence, django.contrib.auth.forms.UsernameField was
subject to a potential denial of service attack via certain inputs with a very
large number of Unicode characters.
In order to avoid the vulnerability, invalid values longer than
UsernameField.max_length are no longer normalized, since they cannot pass
validation anyway.
django.utils.text.Truncator¶Following the fix for CVE-2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncator’s chars() and words()
methods (with html=True) were revised and improved. However, these regular
expressions still exhibited linear backtracking complexity, so when given a
very long, potentially malformed HTML input, the evaluation would still be
slow, leading to a potential denial of service vulnerability.
The chars() and words() methods are used to implement the
truncatechars_html and truncatewords_html template
filters, which were thus also vulnerable.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
Feb 28, 2024