Django 2.2.2 release notes¶
June 3, 2019
Django 2.2.2 fixes security issues and several bugs in 2.2.1.
CVE-2019-12308: AdminURLFieldWidget XSS¶
The clickable “Current URL” link generated by AdminURLFieldWidget
displayed
the provided value without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query parameter
payload, could result in an clickable JavaScript link.
AdminURLFieldWidget
now validates the provided value using
URLValidator
before displaying the clickable
link. You may customize the validator by passing a validator_class
kwarg to
AdminURLFieldWidget.__init__()
, e.g. when using
formfield_overrides
.
Patched bundled jQuery for CVE-2019-11358: Prototype pollution¶
jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...)
because of
Object.prototype
pollution. If an unsanitized source object contained an
enumerable __proto__
property, it could extend the native
Object.prototype
.
The bundled version of jQuery used by the Django admin has been patched to
allow for the select2
library’s use of jQuery.extend()
.
Bugfixes¶
- Fixed a regression in Django 2.2 that stopped Show/Hide toggles working on dynamically added admin inlines (#30459).
- Fixed a regression in Django 2.2 where deprecation message crashes if
Meta.ordering
contains an expression (#30463). - Fixed a regression in Django 2.2.1 where
SearchVector
generates SQL with a redundantCoalesce
call (#30488). - Fixed a regression in Django 2.2 where auto-reloader doesn’t detect changes
in
manage.py
file when usingStatReloader
(#30479). - Fixed crash of
ArrayAgg
andStringAgg
withordering
argument when used in aSubquery
(#30315). - Fixed a regression in Django 2.2 that caused a crash of auto-reloader when an exception with custom signature is raised (#30516).
- Fixed a regression in Django 2.2.1 where auto-reloader unnecessarily reloads
translation files multiple times when using
StatReloader
(#30523).