django/docs/releases/2.2.2.txt

==========================
Django 2.2.2 release notes
==========================

*June 3, 2019*

Django 2.2.2 fixes security issues and several bugs in 2.2.1.

CVE-2019-12308: AdminURLFieldWidget XSS
---------------------------------------

The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
the provided value without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query parameter
payload, could result in an clickable JavaScript link.

``AdminURLFieldWidget`` now validates the provided value using
:class:`~django.core.validators.URLValidator` before displaying the clickable
link. You may customize the validator by passing a ``validator_class`` kwarg to
``AdminURLFieldWidget.__init__()``, e.g. when using
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.

Patched bundled jQuery for CVE-2019-11358: Prototype pollution
--------------------------------------------------------------

jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
``Object.prototype`` pollution. If an unsanitized source object contained an
enumerable ``__proto__`` property, it could extend the native
``Object.prototype``.

The bundled version of jQuery used by the Django admin has been patched to
allow for the ``select2`` library's use of ``jQuery.extend()``.

Bugfixes
========

* Fixed a regression in Django 2.2 that stopped Show/Hide toggles working on
  dynamically added admin inlines (:ticket:`30459`).

* Fixed a regression in Django 2.2 where deprecation message crashes if
  ``Meta.ordering`` contains an expression (:ticket:`30463`).

* Fixed a regression in Django 2.2.1 where
  :class:`~django.contrib.postgres.search.SearchVector` generates SQL with a
  redundant ``Coalesce`` call (:ticket:`30488`).

* Fixed a regression in Django 2.2 where auto-reloader doesn't detect changes
  in ``manage.py`` file when using ``StatReloader`` (:ticket:`30479`).

* Fixed crash of :class:`~django.contrib.postgres.aggregates.ArrayAgg` and
  :class:`~django.contrib.postgres.aggregates.StringAgg` with ``ordering``
  argument when used in a ``Subquery`` (:ticket:`30315`).

* Fixed a regression in Django 2.2 that caused a crash of auto-reloader when
  an exception with custom signature is raised (:ticket:`30516`).

* Fixed a regression in Django 2.2.1 where auto-reloader unnecessarily reloads
  translation files multiple times when using ``StatReloader``
  (:ticket:`30523`).
Added stub release notes for 2.2.2. 2019-05-08 20:41:16 +08:00			`==========================`
			`Django 2.2.2 release notes`
			`==========================`

Added stub release notes for security releases. 2019-05-27 15:37:10 +08:00			`June 3, 2019`
Added stub release notes for 2.2.2. 2019-05-08 20:41:16 +08:00
Added stub release notes for security releases. 2019-05-27 15:37:10 +08:00			`Django 2.2.2 fixes security issues and several bugs in 2.2.1.`
Added stub release notes for 2.2.2. 2019-05-08 20:41:16 +08:00
Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link. 2019-05-23 18:06:34 +08:00			`CVE-2019-12308: AdminURLFieldWidget XSS`
			`---------------------------------------`

			The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
			`the provided value without validating it as a safe URL. Thus, an unvalidated`
			`value stored in the database, or a value provided as a URL query parameter`
			`payload, could result in an clickable JavaScript link.`

			``AdminURLFieldWidget`` now validates the provided value using
			:class:`~django.core.validators.URLValidator` before displaying the clickable
Fixed typos in 1.11.21, 2.1.9, 2.2.2 release notes. 2019-06-03 19:16:29 +08:00			link. You may customize the validator by passing a ``validator_class`` kwarg to
Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link. 2019-05-23 18:06:34 +08:00			``AdminURLFieldWidget.__init__()``, e.g. when using
			:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.

Applied jQuery patch for CVE-2019-11358. 2019-05-27 17:07:46 +08:00			`Patched bundled jQuery for CVE-2019-11358: Prototype pollution`
			`--------------------------------------------------------------`

			jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
			``Object.prototype`` pollution. If an unsanitized source object contained an
			enumerable ``__proto__`` property, it could extend the native
			``Object.prototype``.

			`The bundled version of jQuery used by the Django admin has been patched to`
			allow for the ``select2`` library's use of ``jQuery.extend()``.

Added stub release notes for 2.2.2. 2019-05-08 20:41:16 +08:00			`Bugfixes`
			`========`

Fixed #30459 -- Delegated hide/show JS toggle to parent div. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> 2019-05-11 18:30:19 +08:00			`* Fixed a regression in Django 2.2 that stopped Show/Hide toggles working on`
			dynamically added admin inlines (:ticket:`30459`).
Fixed #30463 -- Fixed crash of deprecation message when Meta.ordering contains expressions. Regression in 1b1f64ee5a78cc217fead52cbae23114502cf564. 2019-05-17 15:30:57 +08:00
			`* Fixed a regression in Django 2.2 where deprecation message crashes if`
			``Meta.ordering`` contains an expression (:ticket:`30463`).
Fixed #30488 -- Removed redundant Coalesce call in SQL generated by SearchVector. Regression in 405c8363362063542e9e79beac53c8437d389520. 2019-05-17 22:27:01 +08:00
			`* Fixed a regression in Django 2.2.1 where`
			:class:`~django.contrib.postgres.search.SearchVector` generates SQL with a
			redundant ``Coalesce`` call (:ticket:`30488`).
Fixed #30479 -- Fixed detecting changes in manage.py by autoreloader when using StatReloader. Regression in c8720e7696ca41f3262d5369365cc1bd72a216ca. 2019-05-28 03:14:49 +08:00
			`* Fixed a regression in Django 2.2 where auto-reloader doesn't detect changes`
			in ``manage.py`` file when using ``StatReloader`` (:ticket:`30479`).
Fixed #30315 -- Fixed crash of ArrayAgg and StringAgg with ordering when used in Subquery. 2019-05-25 21:19:32 +08:00
			* Fixed crash of :class:`~django.contrib.postgres.aggregates.ArrayAgg` and
			:class:`~django.contrib.postgres.aggregates.StringAgg` with ``ordering``
			argument when used in a ``Subquery`` (:ticket:`30315`).
Fixed #30516 -- Fixed crash of autoreloader when re-raising exceptions with custom signature. Regression in c8720e7696ca41f3262d5369365cc1bd72a216ca. 2019-05-29 02:06:39 +08:00
			`* Fixed a regression in Django 2.2 that caused a crash of auto-reloader when`
			an exception with custom signature is raised (:ticket:`30516`).
Fixed #30523 -- Fixed updating file modification times on seen files in auto-reloader when using StatReloader. Previously we updated the file mtimes if the file has not been seen before - i.e on the first iteration of the loop. If the mtime has been changed we triggered the notify_file_changed() method which in all cases except the translations will result in the process being terminated. To be strictly correct we need to update the mtime for either branch of the conditional. Regression in 6754bffa2b2df15a741008aa611c1bb0e8dff22b. 2019-05-27 19:50:05 +08:00
			`* Fixed a regression in Django 2.2.1 where auto-reloader unnecessarily reloads`
			translation files multiple times when using ``StatReloader``
			(:ticket:`30523`).