========================== Django 2.0.3 release notes ========================== *March 6, 2018* Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the latest string translations from Transifex are incorporated. CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters =============================================================================================== The ``django.utils.html.urlize()`` function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions. The ``urlize()`` function is used to implement the ``urlize`` and ``urlizetrunc`` template filters, which were thus vulnerable. The problematic regular expressions are replaced with parsing logic that behaves similarly. CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters ================================================================================================================== If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were passed the ``html=True`` argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The ``chars()`` and ``words()`` methods are used to implement the ``truncatechars_html`` and ``truncatewords_html`` template filters, which were thus vulnerable. The backtracking problem in the regular expression is fixed. Bugfixes ======== * Fixed a regression that caused sliced ``QuerySet.distinct().order_by()`` followed by ``count()`` to crash (:ticket:`29108`). * Prioritized the datetime and time input formats without ``%f`` for the Thai locale to fix the admin time picker widget displaying "undefined" (:ticket:`29109`). * Fixed crash with ``QuerySet.order_by(Exists(...))`` (:ticket:`29118`). * Made ``Q.deconstruct()`` deterministic with multiple keyword arguments (:ticket:`29125`). You may need to modify ``Q``'s in existing migrations, or accept an autogenerated migration. * Fixed a regression where a ``When()`` expression with a list argument crashes (:ticket:`29166`). * Fixed crash when using a ``Window()`` expression in a subquery (:ticket:`29172`). * Fixed ``AbstractBaseUser.normalize_username()`` crash if the ``username`` argument isn't a string (:ticket:`29176`).