mirror of https://github.com/django/django.git
84 lines
3.5 KiB
Plaintext
84 lines
3.5 KiB
Plaintext
==========================
|
|
Django 3.2.1 release notes
|
|
==========================
|
|
|
|
*May 4, 2021*
|
|
|
|
Django 3.2.1 fixes a security issue and several bugs in 3.2.
|
|
|
|
CVE-2021-31542: Potential directory-traversal via uploaded files
|
|
================================================================
|
|
|
|
``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
|
|
directory-traversal via uploaded files with suitably crafted file names.
|
|
|
|
In order to mitigate this risk, stricter basename and path sanitation is now
|
|
applied.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Corrected detection of GDAL 3.2 on Windows (:ticket:`32544`).
|
|
|
|
* Fixed a bug in Django 3.2 where subclasses of ``BigAutoField`` and
|
|
``SmallAutoField`` were not allowed for the :setting:`DEFAULT_AUTO_FIELD`
|
|
setting (:ticket:`32620`).
|
|
|
|
* Fixed a regression in Django 3.2 that caused a crash of
|
|
``QuerySet.values()/values_list()`` after ``QuerySet.union()``,
|
|
``intersection()``, and ``difference()`` when it was ordered by an
|
|
unannotated field (:ticket:`32627`).
|
|
|
|
* Restored, following a regression in Django 3.2, displaying an exception
|
|
message on the technical 404 debug page (:ticket:`32637`).
|
|
|
|
* Fixed a bug in Django 3.2 where a system check would crash on a reverse
|
|
one-to-one relationships in ``CheckConstraint.check`` or
|
|
``UniqueConstraint.condition`` (:ticket:`32635`).
|
|
|
|
* Fixed a regression in Django 3.2 that caused a crash of
|
|
:attr:`.ModelAdmin.search_fields` when searching against phrases with
|
|
unbalanced quotes (:ticket:`32649`).
|
|
|
|
* Fixed a bug in Django 3.2 where variable lookup errors were logged rendering
|
|
the sitemap template if alternates were not defined (:ticket:`32648`).
|
|
|
|
* Fixed a regression in Django 3.2 that caused a crash when combining ``Q()``
|
|
objects which contains boolean expressions (:ticket:`32548`).
|
|
|
|
* Fixed a regression in Django 3.2 that caused a crash of ``QuerySet.update()``
|
|
on a queryset ordered by inherited or joined fields on MySQL and MariaDB
|
|
(:ticket:`32645`).
|
|
|
|
* Fixed a regression in Django 3.2 that caused a crash when decoding a cookie
|
|
value, used by ``django.contrib.messages.storage.cookie.CookieStorage``, in
|
|
the pre-Django 3.2 format (:ticket:`32643`).
|
|
|
|
* Fixed a regression in Django 3.2 that stopped the shift-key modifier
|
|
selecting multiple rows in the admin changelist (:ticket:`32647`).
|
|
|
|
* Fixed a bug in Django 3.2 where a system check would crash on the
|
|
:setting:`STATICFILES_DIRS` setting with a list of 2-tuples of
|
|
``(prefix, path)`` (:ticket:`32665`).
|
|
|
|
* Fixed a long standing bug involving queryset bitwise combination when used
|
|
with subqueries that began manifesting in Django 3.2, due to a separate fix
|
|
using ``Exists`` to ``exclude()`` multi-valued relationships
|
|
(:ticket:`32650`).
|
|
|
|
* Fixed a bug in Django 3.2 where variable lookup errors were logged when
|
|
rendering some admin templates (:ticket:`32681`).
|
|
|
|
* Fixed a bug in Django 3.2 where an admin changelist would crash when deleting
|
|
objects filtered against multi-valued relationships (:ticket:`32682`). The
|
|
admin changelist now uses ``Exists()`` instead of ``QuerySet.distinct()``
|
|
because calling ``delete()`` after ``distinct()`` is not allowed in Django
|
|
3.2 to address a data loss possibility.
|
|
|
|
* Fixed a regression in Django 3.2 where the calling process environment would
|
|
not be passed to the ``dbshell`` command on PostgreSQL (:ticket:`32687`).
|
|
|
|
* Fixed a performance regression in Django 3.2 when building complex filters
|
|
with subqueries (:ticket:`32632`). As a side-effect the private API to check
|
|
``django.db.sql.query.Query`` equality is removed.
|