May 4, 2021
Django 3.2.1 fixes a security issue and several bugs in 3.2.
MultiPartParser
, UploadedFile
, and FieldFile
allowed
directory-traversal via uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is now applied.
BigAutoField
and
SmallAutoField
were not allowed for the DEFAULT_AUTO_FIELD
setting (#32620).QuerySet.values()/values_list()
after QuerySet.union()
,
intersection()
, and difference()
when it was ordered by an
unannotated field (#32627).CheckConstraint.check
or
UniqueConstraint.condition
(#32635).ModelAdmin.search_fields
when searching against phrases with
unbalanced quotes (#32649).Q()
objects which contains boolean expressions (#32548).QuerySet.update()
on a queryset ordered by inherited or joined fields on MySQL and MariaDB
(#32645).django.contrib.messages.storage.cookie.CookieStorage
, in
the pre-Django 3.2 format (#32643).STATICFILES_DIRS
setting with a list of 2-tuples of
(prefix, path)
(#32665).Exists
to exclude()
multi-valued relationships
(#32650).Exists()
instead QuerySet.distinct()
because calling delete()
after distinct()
is not allowed in Django
3.2 to address a data loss possibility.dbshell
command on PostgreSQL (#32687).django.db.sql.query.Query
equality is removed.Jul 28, 2023