django/docs/releases/3.0.1.txt

==========================
Django 3.0.1 release notes
==========================

*December 18, 2019*

Django 3.0.1 fixes a security issue and several bugs in 3.0.

CVE-2019-19844: Potential account hijack via password reset form
================================================================

By submitting a suitably crafted email address making use of Unicode
characters, that compared equal to an existing user email when lower-cased for
comparison, an attacker could be sent a password reset token for the matched
account.

In order to avoid this vulnerability, password reset requests now compare the
submitted email using the stricter, recommended algorithm for case-insensitive
comparison of two identifiers from `Unicode Technical Report 36, section
2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
sent to the email address on record rather than the submitted address.

.. __: https://www.unicode.org/reports/tr36/#Recommendations_General

Bugfixes
========

* Fixed a regression in Django 3.0 by restoring the ability to use Django
  inside Jupyter and other environments that force an async context, by adding
  an option to disable :ref:`async-safety` mechanism with
  :envvar:`DJANGO_ALLOW_ASYNC_UNSAFE` environment variable (:ticket:`31056`).

* Fixed a regression in Django 3.0 where ``RegexPattern``, used by
  :func:`~django.urls.re_path`, returned positional arguments to be passed to
  the view when all optional named groups were missing (:ticket:`31061`).

* Reallowed, following a regression in Django 3.0,
  :class:`~django.db.models.expressions.Window` expressions to be used in
  conditions outside of queryset filters, e.g. in
  :class:`~django.db.models.expressions.When` conditions (:ticket:`31060`).

* Fixed a data loss possibility in
  :class:`~django.contrib.postgres.forms.SplitArrayField`. When using with
  ``ArrayField(BooleanField())``, all values after the first ``True`` value
  were marked as checked instead of preserving passed values (:ticket:`31073`).
Added stub release notes for 3.0.1. 2019-12-02 20:43:59 +00:00			`==========================`
			`Django 3.0.1 release notes`
			`==========================`

Fixed CVE-2019-19844 -- Used verified user email for password reset requests. Co-Authored-By: Florian Apolloner <florian@apolloner.eu> 2019-12-17 02:51:57 +00:00			`December 18, 2019`
Added stub release notes for 3.0.1. 2019-12-02 20:43:59 +00:00
Fixed CVE-2019-19844 -- Used verified user email for password reset requests. Co-Authored-By: Florian Apolloner <florian@apolloner.eu> 2019-12-17 02:51:57 +00:00			`Django 3.0.1 fixes a security issue and several bugs in 3.0.`

			`CVE-2019-19844: Potential account hijack via password reset form`
			`================================================================`

			`By submitting a suitably crafted email address making use of Unicode`
			`characters, that compared equal to an existing user email when lower-cased for`
			`comparison, an attacker could be sent a password reset token for the matched`
			`account.`

			`In order to avoid this vulnerability, password reset requests now compare the`
			`submitted email using the stricter, recommended algorithm for case-insensitive`
			comparison of two identifiers from `Unicode Technical Report 36, section
			2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
			`sent to the email address on record rather than the submitted address.`

			`.. __: https://www.unicode.org/reports/tr36/#Recommendations_General`
Added stub release notes for 3.0.1. 2019-12-02 20:43:59 +00:00
			`Bugfixes`
			`========`

Fixed #31056 -- Allowed disabling async-unsafe check with an environment variable. 2019-12-02 20:02:21 +00:00			`* Fixed a regression in Django 3.0 by restoring the ability to use Django`
			`inside Jupyter and other environments that force an async context, by adding`
Fixed typo in docs/releases/3.0.1.txt. 2019-12-09 06:57:36 +00:00			an option to disable :ref:`async-safety` mechanism with
Used :envvar: role and .. envvar:: directive in various docs. 2020-04-30 10:12:05 +00:00			:envvar:`DJANGO_ALLOW_ASYNC_UNSAFE` environment variable (:ticket:`31056`).
Fixed #31061 -- Ignored positional args in django.urls.resolve() when all optional named parameters are missing. Regression in 76b993a117b61c41584e95149a67d8a1e9f49dd1. Thanks Claude Paroz for the report and Carlton Gibson for reviews. 2019-12-06 08:32:51 +00:00
			* Fixed a regression in Django 3.0 where ``RegexPattern``, used by
			:func:`~django.urls.re_path`, returned positional arguments to be passed to
			the view when all optional named groups were missing (:ticket:`31061`).
Fixed #31060 -- Reallowed window expressions to be used in conditions outside of queryset filters. Regression in 4edad1ddf6203326e0be4bdb105beecb0fe454c4. Thanks utapyngo for the report. 2019-12-05 16:08:47 +00:00
			`* Reallowed, following a regression in Django 3.0,`
			:class:`~django.db.models.expressions.Window` expressions to be used in
			`conditions outside of queryset filters, e.g. in`
			:class:`~django.db.models.expressions.When` conditions (:ticket:`31060`).
Refs #31073 -- Added release notes for 02eff7ef60466da108b1a33f1e4dc01eec45c99d. 2019-12-11 09:07:41 +00:00
			`* Fixed a data loss possibility in`
			:class:`~django.contrib.postgres.forms.SplitArrayField`. When using with
			``ArrayField(BooleanField())``, all values after the first ``True`` value
			were marked as checked instead of preserving passed values (:ticket:`31073`).