Django 1.11.23 版本发行说明

Django 1.11.23 修复了 1.11.22 中的安全问题。

If django.utils.text.Truncator‘s chars() and words() methods were passed the argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and template filters, which were thus vulnerable.

Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding template filter, which was thus also vulnerable.

strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made.

Key and index lookups for django.contrib.postgres.fields.JSONField and for HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter().

If passed certain inputs, could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences.