django.git/docs/releases/3.2.2.txt, branch main

django.git/docs/releases/3.2.2.txt, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2021-05-06T06:45:23Z Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+. 2021-05-06T06:45:23Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-05-06T06:45:23Z urn:sha1:e1e81aa1c4427411e3c68facdd761229ffea6f6f In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 Fixed #32714 -- Prevented recreation of migration for Meta.ordering with OrderBy expressions. 2021-05-05T06:43:57Z Simon Charette charette.s@gmail.com 2021-05-04T21:49:46Z urn:sha1:96f55ccf798c7592a1203f798a4dffaf173a9263 Regression in c8b659430556dca0b2fe27cf2ea0f8290dbafecd. Thanks Kevin Marsh for the report. Added stub release notes for Django 3.2.2. 2021-05-04T09:01:33Z Carlton Gibson carlton.gibson@noumenal.es 2021-05-04T09:01:33Z urn:sha1:5a43cfe24533591a020ba4e730440bad81c478db