Update for v3.1.4 release

mozilla · Mar 26, 2020 · 6e74a50 · 6e74a50 · Snezhana-Usova · Sep 16, 2020
1 parent d6018f2
commit 6e74a50
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,39 @@
 Bleach changes
 ==============
 
+Version 3.1.4 (March 24th, 2020)
+--------------------------------
+
+**Security fixes**
+
+* ``bleach.clean`` behavior parsing style attributes could result in a
+  regular expression denial of service (ReDoS).
+
+  Calls to ``bleach.clean`` with an allowed tag with an allowed
+  ``style`` attribute were vulnerable to ReDoS. For example,
+  ``bleach.clean(..., attributes={'a': ['style']})``.
+
+  This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1,
+  v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar
+  regular expression and should be considered vulnerable too.
+
+  Anyone using Bleach <=v3.1.3 is encouraged to upgrade.
+
+  https://bugzilla.mozilla.org/show_bug.cgi?id=1623633
+
+**Backwards incompatible changes**
+
+* Style attributes with dashes, or single or double quoted values are
+  cleaned instead of passed through.
+
+**Features**
+
+None
+
+**Bug fixes**
+
+None
+
 Version 3.1.3 (March 17th, 2020)
 --------------------------------
 

diff --git a/bleach/__init__.py b/bleach/__init__.py
@@ -18,9 +18,9 @@
 
 
 # yyyymmdd
-__releasedate__ = '20200317'
+__releasedate__ = '20200324'
 # x.y.z or x.y.z.dev0 -- semver
-__version__ = '3.1.3'
+__version__ = '3.1.4'
 VERSION = parse_version(__version__)