Django 3.2.1 release notes
May 4, 2021
Django 3.2.1 fixes a security issue and several bugs in 3.2.
CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser
, UploadedFile
, and FieldFile
allowed directory-traversal via uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is now applied.
Bugfixes
- Corrected detection of GDAL 3.2 on Windows (#32544).
- Fixed a bug in Django 3.2 where subclasses of
BigAutoField
andSmallAutoField
were not allowed for the DEFAULT_AUTO_FIELD setting (#32620). - Fixed a regression in Django 3.2 that caused a crash of
QuerySet.values()/values_list()
afterQuerySet.union()
,intersection()
, anddifference()
when it was ordered by an unannotated field (#32627). - Restored, following a regression in Django 3.2, displaying an exception message on the technical 404 debug page (#32637).
- Fixed a bug in Django 3.2 where a system check would crash on a reverse one-to-one relationships in
CheckConstraint.check
orUniqueConstraint.condition
(#32635). - Fixed a regression in Django 3.2 that caused a crash of ModelAdmin.search_fields when searching against phrases with unbalanced quotes (#32649).
- Fixed a bug in Django 3.2 where variable lookup errors were logged rendering the sitemap template if alternates were not defined (#32648).
- Fixed a regression in Django 3.2 that caused a crash when combining
Q()
objects which contains boolean expressions (#32548). - Fixed a regression in Django 3.2 that caused a crash of
QuerySet.update()
on a queryset ordered by inherited or joined fields on MySQL and MariaDB (#32645). - Fixed a regression in Django 3.2 that caused a crash when decoding a cookie value, used by
django.contrib.messages.storage.cookie.CookieStorage
, in the pre-Django 3.2 format (#32643). - Fixed a regression in Django 3.2 that stopped the shift-key modifier selecting multiple rows in the admin changelist (#32647).
- Fixed a bug in Django 3.2 where a system check would crash on the STATICFILES_DIRS setting with a list of 2-tuples of
(prefix, path)
(#32665). - Fixed a long standing bug involving queryset bitwise combination when used with subqueries that began manifesting in Django 3.2, due to a separate fix using
Exists
toexclude()
multi-valued relationships (#32650). - Fixed a bug in Django 3.2 where variable lookup errors were logged when rendering some admin templates (#32681).
- Fixed a bug in Django 3.2 where an admin changelist would crash when deleting objects filtered against multi-valued relationships (#32682). The admin changelist now uses
Exists()
insteadQuerySet.distinct()
because callingdelete()
afterdistinct()
is not allowed in Django 3.2 to address a data loss possibility. - Fixed a regression in Django 3.2 where the calling process environment would not be passed to the
dbshell
command on PostgreSQL (#32687). - Fixed a performance regression in Django 3.2 when building complex filters with subqueries (#32632). As a side-effect the private API to check
django.db.sql.query.Query
equality is removed.