Django 4.0.2 release notes

February 1, 2022

Django 4.0.2 fixes two security issues with severity “medium” and several bugs
in 4.0.1. Also, the latest string translations from Transifex are incorporated,
with a special mention for Bulgarian (fully translated).

CVE-2022-22818: Possible XSS via {% debug %} template tag

The {% debug %} template tag didn’t properly encode the current context,
posing an XSS attack vector.

In order to avoid this vulnerability, {% debug %} no longer outputs an
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.

CVE-2022-23833: Denial-of-service possibility in file uploads

Passing certain inputs to multipart forms could result in an infinite loop when
parsing files.

Bugfixes

• Fixed a bug in Django 4.0 where TestCase.captureOnCommitCallbacks() could
  execute callbacks multiple times (#33410).
• Fixed a regression in Django 4.0 where help\_text was HTML-escaped in
  automatically-generated forms (#33419).
• Fixed a regression in Django 4.0 that caused displaying an incorrect name for
  class-based views on the technical 404 debug page (#33425).
• Fixed a regression in Django 4.0 that caused an incorrect repr of
  ResolverMatch for class-based views (#33426).
• Fixed a regression in Django 4.0 that caused a crash of makemigrations on
  models without Meta.order\_with\_respect\_to but with a field named
  \_order (#33449).
• Fixed a regression in Django 4.0 that caused incorrect
  ModelAdmin.radio\_fields layout in the admin (#33407).
• Fixed a duplicate operation regression in Django 4.0 that caused a migration
  crash when altering a primary key type for a concrete parent model referenced
  by a foreign key (#33462).
• Fixed a bug in Django 4.0 that caused a crash of QuerySet.aggregate()
  after annotate() on an aggregate function with a
  default (#33468).
• Fixed a regression in Django 4.0 that caused a crash of makemigrations
  when renaming a field of a renamed model (#33480).