2022-01-04 10:10:53 +00:00
|
|
|
==========================
|
|
|
|
Django 4.0.2 release notes
|
|
|
|
==========================
|
|
|
|
|
2022-01-11 08:57:01 +00:00
|
|
|
*February 1, 2022*
|
2022-01-04 10:10:53 +00:00
|
|
|
|
2022-01-11 08:57:01 +00:00
|
|
|
Django 4.0.2 fixes two security issues with severity "medium" and several bugs
|
2022-01-29 17:59:17 +00:00
|
|
|
in 4.0.1. Also, the latest string translations from Transifex are incorporated,
|
|
|
|
with a special mention for Bulgarian (fully translated).
|
2022-01-04 10:10:53 +00:00
|
|
|
|
2022-01-01 23:37:40 +00:00
|
|
|
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
|
|
|
|
=============================================================
|
|
|
|
|
|
|
|
The ``{% debug %}`` template tag didn't properly encode the current context,
|
|
|
|
posing an XSS attack vector.
|
|
|
|
|
|
|
|
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
|
|
|
|
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
|
|
|
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
|
|
|
|
2022-01-21 06:50:03 +00:00
|
|
|
CVE-2022-23833: Denial-of-service possibility in file uploads
|
|
|
|
=============================================================
|
|
|
|
|
|
|
|
Passing certain inputs to multipart forms could result in an infinite loop when
|
|
|
|
parsing files.
|
|
|
|
|
2022-01-04 10:10:53 +00:00
|
|
|
Bugfixes
|
|
|
|
========
|
|
|
|
|
2022-01-04 22:06:46 +00:00
|
|
|
* Fixed a bug in Django 4.0 where ``TestCase.captureOnCommitCallbacks()`` could
|
|
|
|
execute callbacks multiple times (:ticket:`33410`).
|
2022-01-07 07:46:55 +00:00
|
|
|
|
|
|
|
* Fixed a regression in Django 4.0 where ``help_text`` was HTML-escaped in
|
|
|
|
automatically-generated forms (:ticket:`33419`).
|
2022-01-07 12:57:03 +00:00
|
|
|
|
|
|
|
* Fixed a regression in Django 4.0 that caused displaying an incorrect name for
|
|
|
|
class-based views on the technical 404 debug page (:ticket:`33425`).
|
2022-01-10 13:01:35 +00:00
|
|
|
|
|
|
|
* Fixed a regression in Django 4.0 that caused an incorrect ``repr`` of
|
|
|
|
``ResolverMatch`` for class-based views (:ticket:`33426`).
|
2022-01-19 15:27:07 +00:00
|
|
|
|
|
|
|
* Fixed a regression in Django 4.0 that caused a crash of ``makemigrations`` on
|
|
|
|
models without ``Meta.order_with_respect_to`` but with a field named
|
|
|
|
``_order`` (:ticket:`33449`).
|
2022-01-19 11:06:38 +00:00
|
|
|
|
|
|
|
* Fixed a regression in Django 4.0 that caused incorrect
|
|
|
|
:attr:`.ModelAdmin.radio_fields` layout in the admin (:ticket:`33407`).
|
2022-01-27 17:51:39 +00:00
|
|
|
|
|
|
|
* Fixed a duplicate operation regression in Django 4.0 that caused a migration
|
|
|
|
crash when altering a primary key type for a concrete parent model referenced
|
|
|
|
by a foreign key (:ticket:`33462`).
|
2022-01-31 10:33:24 +00:00
|
|
|
|
|
|
|
* Fixed a bug in Django 4.0 that caused a crash of ``QuerySet.aggregate()``
|
|
|
|
after ``annotate()`` on an aggregate function with a
|
|
|
|
:ref:`default <aggregate-default>` (:ticket:`33468`).
|
2022-01-31 19:29:49 +00:00
|
|
|
|
|
|
|
* Fixed a regression in Django 4.0 that caused a crash of ``makemigrations``
|
|
|
|
when renaming a field of a renamed model (:ticket:`33480`).
|