1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
==========================
Django 5.1.9 release notes
==========================
*May 7, 2025*
Django 5.1.9 fixes a security issue with severity "moderate", a data loss bug,
and a regression in 5.1.8.
This release was built using an upgraded :pypi:`setuptools`, producing
filenames compliant with :pep:`491` and :pep:`625` and thus addressing a PyPI
warning about non-compliant distribution filenames. This change only affects
the Django packaging process and does not impact Django's behavior.
CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
=================================================================
:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the :tfilter:`striptags` template filter, which was thus also
vulnerable.
:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
exception if it encounters an unusually large number of unclosed opening tags.
Bugfixes
========
* Fixed a data corruption possibility in ``file_move_safe()`` when
``allow_overwrite=True``, where leftover content from a previously larger
file could remain after overwriting with a smaller one due to lack of
truncation (:ticket:`36298`).
* Fixed a regression in Django 5.1.8, introduced when fixing :cve:`2025-26699`,
where the :tfilter:`wordwrap` template filter did not preserve empty lines
between paragraphs after wrapping text (:ticket:`36341`).
|
