1. ==========================

  2. Django 4.0.2 release notes

  3. ==========================

  4. 

  5. *February 1, 2022*

  6. 

  7. Django 4.0.2 fixes two security issues with severity "medium" and several bugs

  8. in 4.0.1. Also, the latest string translations from Transifex are incorporated,

  9. with a special mention for Bulgarian (fully translated).

  10. 

  11. CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag

  12. =============================================================

  13. 

  14. The ``{% debug %}`` template tag didn't properly encode the current context,

  15. posing an XSS attack vector.

  16. 

  17. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs

  18. information when the ``DEBUG`` setting is ``False``, and it ensures all context

  19. variables are correctly escaped when the ``DEBUG`` setting is ``True``.

  20. 

  21. CVE-2022-23833: Denial-of-service possibility in file uploads

  22. =============================================================

  23. 

  24. Passing certain inputs to multipart forms could result in an infinite loop when

  25. parsing files.

  26. 

  27. Bugfixes

  28. ========

  29. 

  30. * Fixed a bug in Django 4.0 where ``TestCase.captureOnCommitCallbacks()`` could

  31.   execute callbacks multiple times (:ticket:`33410`).

  32. 

  33. * Fixed a regression in Django 4.0 where ``help_text`` was HTML-escaped in

  34.   automatically-generated forms (:ticket:`33419`).

  35. 

  36. * Fixed a regression in Django 4.0 that caused displaying an incorrect name for

  37.   class-based views on the technical 404 debug page (:ticket:`33425`).

  38. 

  39. * Fixed a regression in Django 4.0 that caused an incorrect ``repr`` of

  40.   ``ResolverMatch`` for class-based views (:ticket:`33426`).

  41. 

  42. * Fixed a regression in Django 4.0 that caused a crash of ``makemigrations`` on

  43.   models without ``Meta.order_with_respect_to`` but with a field named

  44.   ``_order`` (:ticket:`33449`).

  45. 

  46. * Fixed a regression in Django 4.0 that caused incorrect

  47.   :attr:`.ModelAdmin.radio_fields` layout in the admin (:ticket:`33407`).

  48. 

  49. * Fixed a duplicate operation regression in Django 4.0 that caused a migration

  50.   crash when altering a primary key type for a concrete parent model referenced

  51.   by a foreign key (:ticket:`33462`).

  52. 

  53. * Fixed a bug in Django 4.0 that caused a crash of ``QuerySet.aggregate()``

  54.   after ``annotate()`` on an aggregate function with a

  55.   :ref:`default <aggregate-default>` (:ticket:`33468`).

  56. 

  57. * Fixed a regression in Django 4.0 that caused a crash of ``makemigrations``

  58.   when renaming a field of a renamed model (:ticket:`33480`).
About Sign Up Leave Feedback Contact