Django 3.2.1 release notes
- CVE-2021-31542: Potential directory-traversal via uploaded files
- Bugfixes

Django 3.2.1 release notes

May 4, 2021

Django 3.2.1 fixes a security issue and several bugs in 3.2.

CVE-2021-31542: Potential directory-traversal via uploaded files

MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names.

In order to mitigate this risk, stricter basename and path sanitation is now applied.

Bugfixes

Corrected detection of GDAL 3.2 on Windows (#32544).
Fixed a bug in Django 3.2 where subclasses of BigAutoField and SmallAutoField were not allowed for the DEFAULT_AUTO_FIELD setting (#32620).
Fixed a regression in Django 3.2 that caused a crash of QuerySet.values()/values_list() after QuerySet.union(), intersection(), and difference() when it was ordered by an unannotated field (#32627).
Restored, following a regression in Django 3.2, displaying an exception message on the technical 404 debug page (#32637).
Fixed a bug in Django 3.2 where a system check would crash on a reverse one-to-one relationships in CheckConstraint.check or UniqueConstraint.condition (#32635).
Fixed a regression in Django 3.2 that caused a crash of ModelAdmin.search_fields when searching against phrases with unbalanced quotes (#32649).
Fixed a bug in Django 3.2 where variable lookup errors were logged rendering the sitemap template if alternates were not defined (#32648).
Fixed a regression in Django 3.2 that caused a crash when combining Q() objects which contains boolean expressions (#32548).
Fixed a regression in Django 3.2 that caused a crash of QuerySet.update() on a queryset ordered by inherited or joined fields on MySQL and MariaDB (#32645).
Fixed a regression in Django 3.2 that caused a crash when decoding a cookie value, used by django.contrib.messages.storage.cookie.CookieStorage, in the pre-Django 3.2 format (#32643).
Fixed a regression in Django 3.2 that stopped the shift-key modifier selecting multiple rows in the admin changelist (#32647).
Fixed a bug in Django 3.2 where a system check would crash on the STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path) (#32665).
Fixed a long standing bug involving queryset bitwise combination when used with subqueries that began manifesting in Django 3.2, due to a separate fix using Exists to exclude() multi-valued relationships (#32650).
Fixed a bug in Django 3.2 where variable lookup errors were logged when rendering some admin templates (#32681).
Fixed a bug in Django 3.2 where an admin changelist would crash when deleting objects filtered against multi-valued relationships (#32682). The admin changelist now uses Exists() instead of QuerySet.distinct() because calling delete() after distinct() is not allowed in Django 3.2 to address a data loss possibility.
Fixed a regression in Django 3.2 where the calling process environment would not be passed to the dbshell command on PostgreSQL (#32687).
Fixed a performance regression in Django 3.2 when building complex filters with subqueries (#32632). As a side-effect the private API to check django.db.sql.query.Query equality is removed.