Add CHANGES.rst for #323

Pylons · Feb 1, 2019 · 95b883a · 95b883a
1 parent f30bd35
commit 95b883a
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,6 +1,19 @@
 Unreleased
 ==========
 
+- The URL validator regex has been updated to no longer be vulnerable to a
+  catastrophic backtracking that would have led to an infinite loop. See
+  https://github.com/Pylons/colander/pull/323 and
+  https://github.com/Pylons/colander/issues/290. With thanks to Przemek
+  (https://github.com/p-m-k).
+
+  This does change the behaviour of the URL validator and it no longer supports
+  ``file:///`` URI scheme (https://tools.ietf.org/html/rfc8089). Users that
+  wish to validate ``file:///`` URI's should change their validator to use
+  ``colander.file_uri`` instead.
+
+  CVE-ID: CVE-2017-18361
+
 - The Email validator has been updated to use the same regular expression that
   is used by the WhatWG HTML specification, thereby increasing the email
   addresses that will validate correctly from web forms submitted. See