Browse files

Update 1.5 release notes for XML and formset fixes.

  • Loading branch information...
carljm committed Feb 12, 2013
1 parent 35c991a commit 8fbea5e1881e8c310a462599a191619688ba67dd
Showing with 19 additions and 0 deletions.
  1. +19 −0 docs/releases/1.5.txt
@@ -628,6 +628,25 @@ your routers allow synchronizing content types and permissions to only one of
them. See the docs on the :ref:`behavior of contrib apps with multiple
databases <contrib_app_multiple_databases>` for more information.
+XML deserializer will not parse documents with a DTD
+In order to prevent exposure to denial-of-service attacks related to external
+entity references and entity expansion, the XML model deserializer now refuses
+to parse XML documents containing a DTD (DOCTYPE definition). Since the XML
+serializer does not output a DTD, this will not impact typical usage, only
+cases where custom-created XML documents are passed to Django's model
+Formsets default ``max_num``
+A (default) value of ``None`` for the ``max_num`` argument to a formset factory
+no longer defaults to allowing any number of forms in the formset. Instead, in
+order to prevent memory-exhaustion attacks, it now defaults to a limit of 1000
+forms. This limit can be raised by explicitly setting a higher value for

0 comments on commit 8fbea5e

Please sign in to comment.