1
0
mirror of https://github.com/django/django.git synced 2024-12-24 18:16:19 +00:00
django/docs/releases/4.0.2.txt
Mariusz Felisiak fc18f36c4a Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
Thanks Alan Ryan for the report and initial patch.
2022-02-01 07:41:40 +01:00

59 lines
2.4 KiB
Plaintext

==========================
Django 4.0.2 release notes
==========================
*February 1, 2022*
Django 4.0.2 fixes two security issues with severity "medium" and several bugs
in 4.0.1. Also, the latest string translations from Transifex are incorporated,
with a special mention for Bulgarian (fully translated).
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================
The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
CVE-2022-23833: Denial-of-service possibility in file uploads
=============================================================
Passing certain inputs to multipart forms could result in an infinite loop when
parsing files.
Bugfixes
========
* Fixed a bug in Django 4.0 where ``TestCase.captureOnCommitCallbacks()`` could
execute callbacks multiple times (:ticket:`33410`).
* Fixed a regression in Django 4.0 where ``help_text`` was HTML-escaped in
automatically-generated forms (:ticket:`33419`).
* Fixed a regression in Django 4.0 that caused displaying an incorrect name for
class-based views on the technical 404 debug page (:ticket:`33425`).
* Fixed a regression in Django 4.0 that caused an incorrect ``repr`` of
``ResolverMatch`` for class-based views (:ticket:`33426`).
* Fixed a regression in Django 4.0 that caused a crash of ``makemigrations`` on
models without ``Meta.order_with_respect_to`` but with a field named
``_order`` (:ticket:`33449`).
* Fixed a regression in Django 4.0 that caused incorrect
:attr:`.ModelAdmin.radio_fields` layout in the admin (:ticket:`33407`).
* Fixed a duplicate operation regression in Django 4.0 that caused a migration
crash when altering a primary key type for a concrete parent model referenced
by a foreign key (:ticket:`33462`).
* Fixed a bug in Django 4.0 that caused a crash of ``QuerySet.aggregate()``
after ``annotate()`` on an aggregate function with a
:ref:`default <aggregate-default>` (:ticket:`33468`).
* Fixed a regression in Django 4.0 that caused a crash of ``makemigrations``
when renaming a field of a renamed model (:ticket:`33480`).