Django 3.0.3 release notes

February 3, 2020

Django 3.0.3 fixes a security issue and several bugs in 3.0.2.

CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)

StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.

Bugfixes

  • Fixed a regression in Django 3.0 that caused a crash when subtracting DateField, DateTimeField, or TimeField from a Subquery() annotation (#%s31133).
  • Fixed a regression in Django 3.0 where QuerySet.values() and values_list() crashed if a queryset contained an aggregation and Exists() annotation (#%s31136).
  • Relaxed the system check added in Django 3.0 to reallow use of a sublanguage in the LANGUAGE_CODE setting, when a base language is available in Django but the sublanguage is not (#%s31141).
  • Added support for using enumeration types TextChoices, IntegerChoices, and Choices in templates (#%s31154).
  • Fixed a system check to ensure the max_length attribute fits the longest choice, when a named group contains only non-string values (#%s31155).
  • Fixed a regression in Django 2.2 that caused a crash of ArrayAgg and StringAgg with filter argument when used in a Subquery (#%s31097).
  • Fixed a regression in Django 2.2.7 that caused get_FOO_display() to work incorrectly when overriding inherited choices (#%s31124).
  • Fixed a regression in Django 3.0 that caused a crash of QuerySet.prefetch_related() for GenericForeignKey with a custom ContentType foreign key (#%s31190).
up