Django 3.0.3 版本发行说明
CVE-2020-7471: Potential SQL injection via
2020 年 2 月 3 日
Django 3.0.3 fixes a security issue and several bugs in 3.0.2.
CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)
StringAgg
aggregation function was
subject to SQL injection, using a suitably crafted delimiter
.
漏洞修复
- Fixed a regression in Django 3.0 that caused a crash when subtracting
DateField
,DateTimeField
, orTimeField
from aSubquery()
annotation (#31133). - Fixed a regression in Django 3.0 where
QuerySet.values()
andvalues_list()
crashed if a queryset contained an aggregation andExists()
annotation (#31136). - Relaxed the system check added in Django 3.0 to reallow use of a sublanguage
in the
LANGUAGE_CODE
setting, when a base language is available in Django but the sublanguage is not (#31141). - Added support for using enumeration types
TextChoices
,IntegerChoices
, andChoices
in templates (#31154). - Fixed a system check to ensure the
max_length
attribute fits the longest choice, when a named group contains only non-string values (#31155). - Fixed a regression in Django 2.2 that caused a crash of
ArrayAgg
andStringAgg
withfilter
argument when used in aSubquery
(#31097). - Fixed a regression in Django 2.2.7 that caused
get_FOO_display()
to work incorrectly when overriding inherited choices (#31124). - Fixed a regression in Django 3.0 that caused a crash of
QuerySet.prefetch_related()
forGenericForeignKey
with a customContentType
foreign key (#31190).
讨论区