89 lines
3.7 KiB
Plaintext
89 lines
3.7 KiB
Plaintext
==========================
|
|
Django 3.1.1 release notes
|
|
==========================
|
|
|
|
*September 1, 2020*
|
|
|
|
Django 3.1.1 fixes two security issues and several bugs in 3.1.
|
|
|
|
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
|
|
======================================================================================
|
|
|
|
On Python 3.7+, :setting:`FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was not
|
|
applied to intermediate-level directories created in the process of uploading
|
|
files and to intermediate-level collected static directories when using the
|
|
:djadmin:`collectstatic` management command.
|
|
|
|
You should review and manually fix permissions on existing intermediate-level
|
|
directories.
|
|
|
|
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
|
|
===============================================================================================================
|
|
|
|
On Python 3.7+, the intermediate-level directories of the file system cache had
|
|
the system's standard umask rather than ``0o077`` (no group or others
|
|
permissions).
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed wrapping of translated action labels in the admin's navigation sidebar
|
|
for East Asian languages (:ticket:`31853`).
|
|
|
|
* Fixed wrapping of long model names in the admin's navigation sidebar
|
|
(:ticket:`31854`).
|
|
|
|
* Fixed encoding session data while upgrading multiple instances of the same
|
|
project to Django 3.1 (:ticket:`31864`).
|
|
|
|
* Adjusted admin's navigation sidebar template to reduce debug logging when
|
|
rendering (:ticket:`31865`).
|
|
|
|
* Fixed a data loss possibility in the
|
|
:meth:`~django.db.models.query.QuerySet.select_for_update()`. When using
|
|
related fields pointing to a proxy model in the ``of`` argument, the
|
|
corresponding model was not locked (:ticket:`31866`).
|
|
|
|
* Fixed a data loss possibility, following a regression in Django 2.0, when
|
|
copying model instances with a cached fields value (:ticket:`31863`).
|
|
|
|
* Fixed a regression in Django 3.1 that caused a crash when decoding an invalid
|
|
session data (:ticket:`31895`).
|
|
|
|
* Reverted a deprecation in Django 3.1 that caused a crash when passing
|
|
deprecated keyword arguments to a queryset in
|
|
``TemplateView.get_context_data()`` (:ticket:`31877`).
|
|
|
|
* Enforced thread sensitivity of the :class:`MiddlewareMixin.process_request()
|
|
<django.utils.deprecation.MiddlewareMixin>` and ``process_response()`` hooks
|
|
when in an async context (:ticket:`31905`).
|
|
|
|
* Fixed ``__in`` lookup on key transforms for
|
|
:class:`~django.db.models.JSONField` with MariaDB, MySQL, Oracle, and SQLite
|
|
(:ticket:`31936`).
|
|
|
|
* Fixed a regression in Django 3.1 that caused permission errors in
|
|
``CommonPasswordValidator`` and ``settings.py`` generated by the
|
|
:djadmin:`startproject` command, when user didn't have permissions to all
|
|
intermediate directories in a Django installation path (:ticket:`31912`).
|
|
|
|
* Fixed detecting an async ``get_response`` callable in various builtin
|
|
middlewares (:ticket:`31928`).
|
|
|
|
* Fixed a ``QuerySet.order_by()`` crash on PostgreSQL when ordering and
|
|
grouping by :class:`~django.db.models.JSONField` with a custom
|
|
:attr:`~django.db.models.JSONField.decoder` (:ticket:`31956`). As a
|
|
consequence, fetching a ``JSONField`` with raw SQL now returns a string
|
|
instead of preloaded data. You will need to explicitly call ``json.loads()``
|
|
in such cases.
|
|
|
|
* Fixed a ``QuerySet.delete()`` crash on MySQL, following a performance
|
|
regression in Django 3.1 on MariaDB 10.3.2+, when filtering against an
|
|
aggregate function (:ticket:`31965`).
|
|
|
|
* Fixed a ``django.contrib.admin.EmptyFieldListFilter`` crash when using on
|
|
reverse relations (:ticket:`31952`).
|
|
|
|
* Prevented content overflowing in the admin changelist view when the
|
|
navigation sidebar is enabled (:ticket:`31901`).
|