CVE-2021-31542: Potential directory-traversal via uploaded files¶

MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names.

In order to mitigate this risk, stricter basename and path sanitation is now applied.

Bugfixes¶

• Corrected detection of GDAL 3.2 on Windows (#32544).

• Fixed a bug in Django 3.2 where subclasses of BigAutoField and SmallAutoField were not allowed for the DEFAULT_AUTO_FIELD setting (#32620).

• Fixed a regression in Django 3.2 that caused a crash of QuerySet.values()/values_list() after QuerySet.union(), intersection(), and difference() when it was ordered by an unannotated field (#32627).

• Restored, following a regression in Django 3.2, displaying an exception message on the technical 404 debug page (#32637).

• Fixed a bug in Django 3.2 where a system check would crash on a reverse one-to-one relationships in CheckConstraint.check or UniqueConstraint.condition (#32635).

• Fixed a regression in Django 3.2 that caused a crash of ModelAdmin.search_fields when searching against phrases with unbalanced quotes (#32649).

• Fixed a bug in Django 3.2 where variable lookup errors were logged rendering the sitemap template if alternates were not defined (#32648).

• Fixed a regression in Django 3.2 that caused a crash when combining Q() objects which contains boolean expressions (#32548).

• Fixed a regression in Django 3.2 that caused a crash of QuerySet.update() on a queryset ordered by inherited or joined fields on MySQL and MariaDB (#32645).

• Fixed a regression in Django 3.2 that caused a crash when decoding a cookie value, used by django.contrib.messages.storage.cookie.CookieStorage, in the pre-Django 3.2 format (#32643).

• Fixed a regression in Django 3.2 that stopped the shift-key modifier selecting multiple rows in the admin changelist (#32647).

• Fixed a bug in Django 3.2 where a system check would crash on the STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path) (#32665).

• Fixed a long standing bug involving queryset bitwise combination when used with subqueries that began manifesting in Django 3.2, due to a separate fix using Exists to exclude() multi-valued relationships (#32650).

• Fixed a bug in Django 3.2 where variable lookup errors were logged when rendering some admin templates (#32681).

• Fixed a bug in Django 3.2 where an admin changelist would crash when deleting objects filtered against multi-valued relationships (#32682). The admin changelist now uses Exists() instead of QuerySet.distinct() because calling delete() after distinct() is not allowed in Django 3.2 to address a data loss possibility.

• Fixed a regression in Django 3.2 where the calling process environment would not be passed to the dbshell command on PostgreSQL (#32687).

• Fixed a performance regression in Django 3.2 when building complex filters with subqueries (#32632). As a side-effect the private API to check django.db.sql.query.Query equality is removed.