Django 2.2.2 release notes

June 3, 2019

Django 2.2.2 fixes security issues and several bugs in 2.2.1.

CVE-2019-12308: AdminURLFieldWidget XSS

The clickable “Current URL” link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customize the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using formfield_overrides.

Patched bundled jQuery for CVE-2019-11358: Prototype pollution

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

The bundled version of jQuery used by the Django admin has been patched to allow for the select2 library’s use of jQuery.extend().

Bugfixes

• Fixed a regression in Django 2.2 that stopped Show/Hide toggles working on dynamically added admin inlines (#30459).
• Fixed a regression in Django 2.2 where deprecation message crashes if Meta.ordering contains an expression (#30463).
• Fixed a regression in Django 2.2.1 where SearchVector generates SQL with a redundant Coalesce call (#30488).
• Fixed a regression in Django 2.2 where auto-reloader doesn’t detect changes in manage.py file when using StatReloader (#30479).
• Fixed crash of ArrayAgg and StringAgg with ordering argument when used in a Subquery (#30315).
• Fixed a regression in Django 2.2 that caused a crash of auto-reloader when an exception with custom signature is raised (#30516).
• Fixed a regression in Django 2.2.1 where auto-reloader unnecessarily reloads translation files multiple times when using StatReloader (#30523).