mirror of https://github.com/django/django.git
59 lines
2.3 KiB
Plaintext
59 lines
2.3 KiB
Plaintext
==========================
|
|
Django 4.0.2 release notes
|
|
==========================
|
|
|
|
*February 1, 2022*
|
|
|
|
Django 4.0.2 fixes two security issues with severity "medium" and several bugs
|
|
in 4.0.1. Also, the latest string translations from Transifex are incorporated,
|
|
with a special mention for Bulgarian (fully translated).
|
|
|
|
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
|
|
=============================================================
|
|
|
|
The ``{% debug %}`` template tag didn't properly encode the current context,
|
|
posing an XSS attack vector.
|
|
|
|
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs
|
|
information when the ``DEBUG`` setting is ``False``, and it ensures all context
|
|
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
|
|
|
|
CVE-2022-23833: Denial-of-service possibility in file uploads
|
|
=============================================================
|
|
|
|
Passing certain inputs to multipart forms could result in an infinite loop when
|
|
parsing files.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a bug in Django 4.0 where ``TestCase.captureOnCommitCallbacks()`` could
|
|
execute callbacks multiple times (:ticket:`33410`).
|
|
|
|
* Fixed a regression in Django 4.0 where ``help_text`` was HTML-escaped in
|
|
automatically-generated forms (:ticket:`33419`).
|
|
|
|
* Fixed a regression in Django 4.0 that caused displaying an incorrect name for
|
|
class-based views on the technical 404 debug page (:ticket:`33425`).
|
|
|
|
* Fixed a regression in Django 4.0 that caused an incorrect ``repr`` of
|
|
``ResolverMatch`` for class-based views (:ticket:`33426`).
|
|
|
|
* Fixed a regression in Django 4.0 that caused a crash of ``makemigrations`` on
|
|
models without ``Meta.order_with_respect_to`` but with a field named
|
|
``_order`` (:ticket:`33449`).
|
|
|
|
* Fixed a regression in Django 4.0 that caused incorrect
|
|
:attr:`.ModelAdmin.radio_fields` layout in the admin (:ticket:`33407`).
|
|
|
|
* Fixed a duplicate operation regression in Django 4.0 that caused a migration
|
|
crash when altering a primary key type for a concrete parent model referenced
|
|
by a foreign key (:ticket:`33462`).
|
|
|
|
* Fixed a bug in Django 4.0 that caused a crash of ``QuerySet.aggregate()``
|
|
after ``annotate()`` on an aggregate function with a
|
|
:ref:`default <aggregate-default>` (:ticket:`33468`).
|
|
|
|
* Fixed a regression in Django 4.0 that caused a crash of ``makemigrations``
|
|
when renaming a field of a renamed model (:ticket:`33480`).
|