Django 4.2.1 release notes

May 3, 2023

Django 4.2.1 fixes a security issue with severity "low" and several bugs in 4.2.

CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field

Uploading multiple files using one form field has never been supported by forms.FileField or forms.ImageField as only the last uploaded file was validated. Unfortunately, 上传多个文件 topic suggested otherwise.

In order to avoid the vulnerability, ClearableFileInput and FileInput form widgets now raise ValueError when the multiple HTML attribute is set on them. To prevent the exception and keep the old behavior, set allow_multiple_selected to True.

For more details on using the new attribute and handling of multiple files through a single field, see 上传多个文件.

漏洞修复

  • Fixed a regression in Django 4.2 that caused a crash of QuerySet.defer() when deferring fields by attribute names (#34458).
  • Fixed a regression in Django 4.2 that caused a crash of SearchVector function with % characters (#34459).
  • Fixed a regression in Django 4.2 that caused aggregation over query that uses explicit grouping to group against the wrong columns (#34464).
  • Reallowed, following a regression in Django 4.2, setting the "cursor_factory" option in OPTIONS on PostgreSQL (#34466).
  • Enforced UTF-8 client encoding on PostgreSQL, following a regression in Django 4.2 (#34470).
  • Fixed a regression in Django 4.2 where i18n_patterns() didn't respect the prefix_default_language argument when a fallback language of the default language was used (#34455).
  • Fixed a regression in Django 4.2 where translated URLs of the default language from i18n_patterns() with prefix_default_language set to False raised 404 errors for a request with a different language (#34515).
  • Fixed a regression in Django 4.2 where creating copies and deep copies of HttpRequest, HttpResponse, and their subclasses didn't always work correctly (#34482, #34484).
  • Fixed a regression in Django 4.2 where timesince and timeuntil template filters returned incorrect results for a datetime with a non-UTC timezone when a time difference is less than 1 day (#34483).
  • Fixed a regression in Django 4.2 that caused a crash of SearchHeadline function with psycopg 3 (#34486).
  • Fixed a regression in Django 4.2 that caused incorrect ClearableFileInput margins in the admin (#34506).
  • Fixed a regression in Django 4.2 where breadcrumbs didn't appear on admin site app index views (#34512).
  • Made squashing migrations reduce AddIndex, RemoveIndex, RenameIndex, and CreateModel operations which allows removing a deprecated Meta.index_together option from historical migrations and use Meta.indexes instead (#34525).
« previous | up | next »