Skip to content

Commit

Permalink
Update for v3.1.4 release
Browse files Browse the repository at this point in the history
  • Loading branch information
Greg Guthe authored and g-k committed Mar 26, 2020
1 parent d6018f2 commit 6e74a50
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 2 deletions.
33 changes: 33 additions & 0 deletions CHANGES
Original file line number Diff line number Diff line change
@@ -1,6 +1,39 @@
Bleach changes
==============

Version 3.1.4 (March 24th, 2020)
--------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing style attributes could result in a
regular expression denial of service (ReDoS).

Calls to ``bleach.clean`` with an allowed tag with an allowed
``style`` attribute were vulnerable to ReDoS. For example,
``bleach.clean(..., attributes={'a': ['style']})``.

This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1,
v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar
regular expression and should be considered vulnerable too.

Anyone using Bleach <=v3.1.3 is encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1623633

**Backwards incompatible changes**

* Style attributes with dashes, or single or double quoted values are
cleaned instead of passed through.

**Features**

None

**Bug fixes**

None

Version 3.1.3 (March 17th, 2020)
--------------------------------

Expand Down
4 changes: 2 additions & 2 deletions bleach/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@


# yyyymmdd
__releasedate__ = '20200317'
__releasedate__ = '20200324'
# x.y.z or x.y.z.dev0 -- semver
__version__ = '3.1.3'
__version__ = '3.1.4'
VERSION = parse_version(__version__)


Expand Down

1 comment on commit 6e74a50

@Snezhana-Usova
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

Please sign in to comment.