CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)¶

StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.

Bugfixes¶

• Fixed a regression in Django 3.0 that caused a crash when subtracting DateField, DateTimeField, or TimeField from a Subquery() annotation (#31133).

• Fixed a regression in Django 3.0 where QuerySet.values() and values_list() crashed if a queryset contained an aggregation and Exists() annotation (#31136).

• Relaxed the system check added in Django 3.0 to reallow use of a sublanguage in the LANGUAGE_CODE setting, when a base language is available in Django but the sublanguage is not (#31141).

• Added support for using enumeration types TextChoices, IntegerChoices, and Choices in templates (#31154).

• Fixed a system check to ensure the max_length attribute fits the longest choice, when a named group contains only non-string values (#31155).

• Fixed a regression in Django 2.2 that caused a crash of ArrayAgg and StringAgg with filter argument when used in a Subquery (#31097).

• Fixed a regression in Django 2.2.7 that caused get_FOO_display() to work incorrectly when overriding inherited choices (#31124).

• Fixed a regression in Django 3.0 that caused a crash of QuerySet.prefetch_related() for GenericForeignKey with a custom ContentType foreign key (#31190).