diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/build/changelog.rst | 7 | ||||
-rw-r--r-- | doc/build/unreleased/367.rst | 13 |
2 files changed, 19 insertions, 1 deletions
diff --git a/doc/build/changelog.rst b/doc/build/changelog.rst index b3f06fd..5ca49de 100644 --- a/doc/build/changelog.rst +++ b/doc/build/changelog.rst @@ -22,7 +22,12 @@ Changelog correctly interpret quoted sections individually. While this parsing issue still produced the same expected tag structure later on, the mis-handling of quoted sections was also subject to a regexp crash if a tag had a large - number of quotes within its quoted sections. + number of quotes within its quoted sections. Credit to Sebastian + Chnelik for locating the issue. + + As Mako templates inherently render and directly invoke arbitrary Python + code from the template source, it is **never** appropriate to create + templates that contain untrusted input. .. changelog:: :version: 1.2.1 diff --git a/doc/build/unreleased/367.rst b/doc/build/unreleased/367.rst new file mode 100644 index 0000000..6798e6e --- /dev/null +++ b/doc/build/unreleased/367.rst @@ -0,0 +1,13 @@ +.. change:: + :tags: bug, lexer + :tickets: 367 + + Fixed issue in lexer in the same category as that of :ticket:`366` where + the regexp used to match an end tag didn't correctly organize for matching + characters surrounded by whitespace, leading to high memory / interpreter + hang if a closing tag incorrectly had a large amount of unterminated space + in it. Credit to Sebastian Chnelik for locating the issue. + + As Mako templates inherently render and directly invoke arbitrary Python + code from the template source, it is **never** appropriate to create + templates that contain untrusted input. |