ASA-2019-00402 – Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS

When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.

ASA-2019-00311 – Django: jQuery Prototype pollution

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because ofObject.prototype pollution. If an unsanitized source object contained an enumerable __proto__property, it could extend the native Object.prototype. The bundled version of jQuery used by the Django admin has been patched to allow for the select2library's use of jQuery.extend().

ASA-2019-00310 – Django: AdminURLFieldWidget Cross-Site Scripting (XSS)

The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.

ASA-2019-00074 – Django: Memory exhaustion in utils.numberformat.format()

If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().