Django/django
11
0
Fork 0
Code Pull Requests Projects Releases Activity

Don't characterize XML vulnerabilities as DoS-only.

Browse Source
This commit is contained in:
Carl Meyer 2013-02-19 18:20:08 -07:00
parent 23ef6e1baf
commit c7f80b428b
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/releases/1.5.txt
View File

@ -631,12 +631,11 @@ databases <contrib_app_multiple_databases>` for more information.
XML deserializer will not parse documents with a DTD XML deserializer will not parse documents with a DTD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In order to prevent exposure to denial-of-service attacks related to external In order to prevent exposure to attacks related to external entity references
entity references and entity expansion, the XML model deserializer now refuses and entity expansion, the XML model deserializer now refuses to parse XML
to parse XML documents containing a DTD (DOCTYPE definition). Since the XML documents containing a DTD (DOCTYPE definition). Since the XML serializer does
serializer does not output a DTD, this will not impact typical usage, only not output a DTD, this will not impact typical usage, only cases where
cases where custom-created XML documents are passed to Django's model custom-created XML documents are passed to Django's model deserializer.
deserializer.
Formsets default ``max_num`` Formsets default ``max_num``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~