Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Update 1.5 release notes for XML and formset fixes.

  • Loading branch information...
commit 8fbea5e1881e8c310a462599a191619688ba67dd 1 parent 35c991a
@carljm carljm authored
Showing with 19 additions and 0 deletions.
  1. +19 −0 docs/releases/1.5.txt
View
19 docs/releases/1.5.txt
@@ -628,6 +628,25 @@ your routers allow synchronizing content types and permissions to only one of
them. See the docs on the :ref:`behavior of contrib apps with multiple
databases <contrib_app_multiple_databases>` for more information.
+XML deserializer will not parse documents with a DTD
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to prevent exposure to denial-of-service attacks related to external
+entity references and entity expansion, the XML model deserializer now refuses
+to parse XML documents containing a DTD (DOCTYPE definition). Since the XML
+serializer does not output a DTD, this will not impact typical usage, only
+cases where custom-created XML documents are passed to Django's model
+deserializer.
+
+Formsets default ``max_num``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A (default) value of ``None`` for the ``max_num`` argument to a formset factory
+no longer defaults to allowing any number of forms in the formset. Instead, in
+order to prevent memory-exhaustion attacks, it now defaults to a limit of 1000
+forms. This limit can be raised by explicitly setting a higher value for
+``max_num``.
+
Miscellaneous
~~~~~~~~~~~~~
Please sign in to comment.
Something went wrong with that request. Please try again.