Django - 4.0.2
Security
Django 4.0.2 release notes
February 1, 2022
Django 4.0.2 fixes two security issues with severity “medium” and several bugs
in 4.0.1. Also, the latest string translations from Transifex are incorporated,
with a special mention for Bulgarian (fully translated).
CVE-2022-22818: Possible XSS via {% debug %}
template tag
The {% debug %}
template tag didn’t properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %}
no longer outputs an
information when the DEBUG
setting is False
, and it ensures all context
variables are correctly escaped when the DEBUG
setting is True
.
CVE-2022-23833: Denial-of-service possibility in file uploads
Passing certain inputs to multipart forms could result in an infinite loop when
parsing files.
Bugfixes
- Fixed a bug in Django 4.0 where
TestCase.captureOnCommitCallbacks()
could
execute callbacks multiple times (#33410). - Fixed a regression in Django 4.0 where
help\_text
was HTML-escaped in
automatically-generated forms (#33419). - Fixed a regression in Django 4.0 that caused displaying an incorrect name for
class-based views on the technical 404 debug page (#33425). - Fixed a regression in Django 4.0 that caused an incorrect
repr
of
ResolverMatch
for class-based views (#33426). - Fixed a regression in Django 4.0 that caused a crash of
makemigrations
on
models withoutMeta.order\_with\_respect\_to
but with a field named
\_order
(#33449). - Fixed a regression in Django 4.0 that caused incorrect
ModelAdmin.radio\_fields
layout in the admin (#33407). - Fixed a duplicate operation regression in Django 4.0 that caused a migration
crash when altering a primary key type for a concrete parent model referenced
by a foreign key (#33462). - Fixed a bug in Django 4.0 that caused a crash of
QuerySet.aggregate()
afterannotate()
on an aggregate function with a
default (#33468). - Fixed a regression in Django 4.0 that caused a crash of
makemigrations
when renaming a field of a renamed model (#33480).
Security
Details
date
Feb. 1, 2022, 6:59 a.m.
type
Patch
official page
👇
Register or login to:
- 🔍View and search all Django releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!