Django 3.1.7 release notes
February 19, 2021
Django 3.1.7 fixes a security issue and a bug in 3.1.6.
CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()
Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl()
no longer allows using ;
as a query parameter separator by default. Django now includes this fix. See bpo-42967 for further details.
Bugfixes
- Fixed a regression in Django 3.1 that caused
RuntimeError
instead of connection errors when using only the'postgres'
database (#32403).