August 6, 2024
Django 5.0.8 fixes three security issues with severity “moderate”, one security issue with severity “high”, and several bugs in 5.0.7.
django.utils.numberformat.floatformat()¶If floatformat received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.
To avoid this, decimals with more than 200 digits are now returned as is.
django.utils.html.urlize()¶urlize and urlizetrunc were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
django.utils.html.urlize() and AdminURLFieldWidget¶urlize, urlizetrunc, and AdminURLFieldWidget were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
QuerySet.values() and values_list()¶QuerySet.values() and values_list() methods on models
with a JSONField were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed *arg.
Added missing validation for UniqueConstraint(nulls_distinct=False) when
using *expressions (#35594).
Fixed a regression in Django 5.0 where ModelAdmin.action_checkbox could
break the admin changelist HTML page when rendering a model instance with a
__html__ method (#35606).
Fixed a crash when creating a model with a Field.db_default and a
Meta.constraints constraint composed of __endswith, __startswith,
or __contains lookups (#35625).
Fixed a regression in Django 5.0.7 that caused a crash in
LocaleMiddleware when processing a language code over 500 characters
(#35627).
Fixed a bug in Django 5.0 that caused a system check crash when
ModelAdmin.date_hierarchy was a GeneratedField with an
output_field of DateField or DateTimeField (#35628).
Fixed a bug in Django 5.0 which caused constraint validation to either crash
or incorrectly raise validation errors for constraints referring to fields
using Field.db_default (#35638).
Fixed a crash in Django 5.0 when saving a model containing a FileField
with a db_default set (#35657).
Mar 04, 2025