1. ==========================

  2. Django 2.2.2 release notes

  3. ==========================

  4. 

  5. *June 3, 2019*

  6. 

  7. Django 2.2.2 fixes security issues and several bugs in 2.2.1.

  8. 

  9. CVE-2019-12308: AdminURLFieldWidget XSS

  10. ---------------------------------------

  11. 

  12. The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed

  13. the provided value without validating it as a safe URL. Thus, an unvalidated

  14. value stored in the database, or a value provided as a URL query parameter

  15. payload, could result in an clickable JavaScript link.

  16. 

  17. ``AdminURLFieldWidget`` now validates the provided value using

  18. :class:`~django.core.validators.URLValidator` before displaying the clickable

  19. link. You may customize the validator by passing a ``validator_class`` kwarg to

  20. ``AdminURLFieldWidget.__init__()``, e.g. when using

  21. :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.

  22. 

  23. Patched bundled jQuery for CVE-2019-11358: Prototype pollution

  24. --------------------------------------------------------------

  25. 

  26. jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of

  27. ``Object.prototype`` pollution. If an unsanitized source object contained an

  28. enumerable ``__proto__`` property, it could extend the native

  29. ``Object.prototype``.

  30. 

  31. The bundled version of jQuery used by the Django admin has been patched to

  32. allow for the ``select2`` library's use of ``jQuery.extend()``.

  33. 

  34. Bugfixes

  35. ========

  36. 

  37. * Fixed a regression in Django 2.2 that stopped Show/Hide toggles working on

  38.   dynamically added admin inlines (:ticket:`30459`).

  39. 

  40. * Fixed a regression in Django 2.2 where deprecation message crashes if

  41.   ``Meta.ordering`` contains an expression (:ticket:`30463`).

  42. 

  43. * Fixed a regression in Django 2.2.1 where

  44.   :class:`~django.contrib.postgres.search.SearchVector` generates SQL with a

  45.   redundant ``Coalesce`` call (:ticket:`30488`).

  46. 

  47. * Fixed a regression in Django 2.2 where auto-reloader doesn't detect changes

  48.   in ``manage.py`` file when using ``StatReloader`` (:ticket:`30479`).

  49. 

  50. * Fixed crash of :class:`~django.contrib.postgres.aggregates.ArrayAgg` and

  51.   :class:`~django.contrib.postgres.aggregates.StringAgg` with ``ordering``

  52.   argument when used in a ``Subquery`` (:ticket:`30315`).

  53. 

  54. * Fixed a regression in Django 2.2 that caused a crash of auto-reloader when

  55.   an exception with custom signature is raised (:ticket:`30516`).

  56. 

  57. * Fixed a regression in Django 2.2.1 where auto-reloader unnecessarily reloads

  58.   translation files multiple times when using ``StatReloader``

  59.   (:ticket:`30523`).
About Sign Up Leave Feedback Contact