• dev
  • 文档版本: 5.1

Django 5.1.4 release notes

December 4, 2024

Django 5.1.4 fixes one security issue with severity "high", one security issue with severity "moderate", and several bugs in 5.1.3.

CVE-2024-53907: Denial-of-service possibility in strip_tags()

strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable.

strip_tags() now has an upper limit of recursive calls to HTMLParser before raising a SuspiciousOperation exception.

请记住,strip_tags() 的结果绝对不保证是安全的 HTML。因此,在将 strip_tags() 调用的结果标记为安全之前,绝对不要忘记首先进行转义,例如使用 django.utils.html.escape()

CVE-2024-53908: Potential SQL injection via HasKey(lhs, rhs) on Oracle

Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle was subject to SQL injection if untrusted data was used as a lhs value.

Applications that use the has_key lookup through the __ syntax are unaffected.

漏洞修复

  • Fixed a crash in createsuperuser on Python 3.13+ caused by an unhandled OSError when the username could not be determined (#35942).

  • Fixed a regression in Django 5.1 where relational fields were not updated when calling Model.refresh_from_db() on instances with deferred fields (#35950).

Back to Top