Django 3.2.1 release notes

May 4, 2021

Django 3.2.1 fixes a security issue and several bugs in 3.2.

CVE-2021-31542: Potential directory-traversal via uploaded files

MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names.

In order to mitigate this risk, stricter basename and path sanitation is now applied.

Bugfixes

  • Corrected detection of GDAL 3.2 on Windows (#%s32544).
  • Fixed a bug in Django 3.2 where subclasses of BigAutoField and SmallAutoField were not allowed for the DEFAULT_AUTO_FIELD setting (#%s32620).
  • Fixed a regression in Django 3.2 that caused a crash of QuerySet.values()/values_list() after QuerySet.union(), intersection(), and difference() when it was ordered by an unannotated field (#%s32627).
  • Restored, following a regression in Django 3.2, displaying an exception message on the technical 404 debug page (#%s32637).
  • Fixed a bug in Django 3.2 where a system check would crash on a reverse one-to-one relationships in CheckConstraint.check or UniqueConstraint.condition (#%s32635).
  • Fixed a regression in Django 3.2 that caused a crash of ModelAdmin.search_fields when searching against phrases with unbalanced quotes (#%s32649).
  • Fixed a bug in Django 3.2 where variable lookup errors were logged rendering the sitemap template if alternates were not defined (#%s32648).
  • Fixed a regression in Django 3.2 that caused a crash when combining Q() objects which contains boolean expressions (#%s32548).
  • Fixed a regression in Django 3.2 that caused a crash of QuerySet.update() on a queryset ordered by inherited or joined fields on MySQL and MariaDB (#%s32645).
  • Fixed a regression in Django 3.2 that caused a crash when decoding a cookie value, used by django.contrib.messages.storage.cookie.CookieStorage, in the pre-Django 3.2 format (#%s32643).
  • Fixed a regression in Django 3.2 that stopped the shift-key modifier selecting multiple rows in the admin changelist (#%s32647).
  • Fixed a bug in Django 3.2 where a system check would crash on the STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path) (#%s32665).
  • Fixed a long standing bug involving queryset bitwise combination when used with subqueries that began manifesting in Django 3.2, due to a separate fix using Exists to exclude() multi-valued relationships (#%s32650).
  • Fixed a bug in Django 3.2 where variable lookup errors were logged when rendering some admin templates (#%s32681).
  • Fixed a bug in Django 3.2 where an admin changelist would crash when deleting objects filtered against multi-valued relationships (#%s32682). The admin changelist now uses Exists() instead QuerySet.distinct() because calling delete() after distinct() is not allowed in Django 3.2 to address a data loss possibility.
  • Fixed a regression in Django 3.2 where the calling process environment would not be passed to the dbshell command on PostgreSQL (#%s32687).
  • Fixed a performance regression in Django 3.2 when building complex filters with subqueries (#%s32632). As a side-effect the private API to check django.db.sql.query.Query equality is removed.