Django 3.0.1 release notes
December 18, 2019
Django 3.0.1 fixes a security issue and several bugs in 3.0.
CVE-2019-19844: Potential account hijack via password reset form
By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.
In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address.
Bugfixes
- Fixed a regression in Django 3.0 by restoring the ability to use Django inside Jupyter and other environments that force an async context, by adding an option to disable Async safety mechanism with
DJANGO_ALLOW_ASYNC_UNSAFE
environment variable (#31056). - Fixed a regression in Django 3.0 where
RegexPattern
, used byre_path()
, returned positional arguments to be passed to the view when all optional named groups were missing (#31061). - Reallowed, following a regression in Django 3.0,
Window
expressions to be used in conditions outside of queryset filters, e.g. inWhen
conditions (#31060). - Fixed a data loss possibility in
SplitArrayField
. When using withArrayField(BooleanField())
, all values after the firstTrue
value were marked as checked instead of preserving passed values (#31073).