August 6, 2024
Django 5.0.8 corrige trois problèmes de sécurité de sévérité moyenne, un problème de sécurité de sévérité élevée ainsi que plusieurs bogues dans 5.0.7.
django.utils.numberformat.floatformat()¶If floatformat received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.
To avoid this, decimals with more than 200 digits are now returned as is.
django.utils.html.urlize()¶urlize and urlizetrunc were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
django.utils.html.urlize() and AdminURLFieldWidget¶urlize, urlizetrunc, and AdminURLFieldWidget were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
QuerySet.values() and values_list()¶QuerySet.values() and values_list() methods on models
with a JSONField were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed *arg.
Ajout de validation manquante dans UniqueConstraint(nulls_distinct=False) lors de l’utilisation d”*expressions (#35594).
Correction d’une régression dans Django 5.0 où ModelAdmin.action_checkbox pouvait casser la page HTML de liste pour modifications du site d’administration lors du rendu d’une instance de modèle ayant une méthode __html__ (#35606).
Fixed a crash when creating a model with a Field.db_default and a
Meta.constraints constraint composed of __endswith, __startswith,
or __contains lookups (#35625).
Fixed a regression in Django 5.0.7 that caused a crash in
LocaleMiddleware when processing a language code over 500 characters
(#35627).
Fixed a bug in Django 5.0 that caused a system check crash when
ModelAdmin.date_hierarchy was a GeneratedField with an
output_field of DateField or DateTimeField (#35628).
Fixed a bug in Django 5.0 which caused constraint validation to either crash
or incorrectly raise validation errors for constraints referring to fields
using Field.db_default (#35638).
Fixed a crash in Django 5.0 when saving a model containing a FileField
with a db_default set (#35657).
avr. 02, 2025