mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-04 02:48:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant().

Browse source 
Language codes are now parsed with a maximum length limit of 500 chars.

Thanks to MProgrammer for the report.
This commit is contained in:
Sarah Boyce 2024-06-26 12:11:54 +02:00 committed by Natalia
parent fe4a0bbe20
commit 9e9792228a
5 changed files with 71 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
docs/ref/utils.txt
View file

@ -1147,6 +1147,11 @@ For a complete discussion on the usage of the following see the
``lang_code`` is ``'es-ar'`` and ``'es'`` is in :setting:`LANGUAGES` but
``'es-ar'`` isn't.
``lang_code`` has a maximum accepted length of 500 characters. A
:exc:`ValueError` is raised if ``lang_code`` exceeds this limit and
``strict`` is ``True``, or if there is no generic variant and ``strict``
is ``False``.
If ``strict`` is ``False`` (the default), a country-specific variant may
be returned when neither the language code nor its generic variant is found.
For example, if only ``'es-co'`` is in :setting:`LANGUAGES`, that's
@ -1155,6 +1160,11 @@ For a complete discussion on the usage of the following see the
Raises :exc:`LookupError` if nothing is found.
.. versionchanged:: 4.2.14
In older versions, ``lang_code`` values over 500 characters were
processed without raising a :exc:`ValueError`.
.. function:: to_locale(language)
Turns a language name (en-us) into a locale name (en_US).