September 1, 2020
Django 3.1.1 fixes two security issues and several bugs in 3.1.
On Python 3.7+,
FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not
applied to intermediate-level directories created in the process of uploading
files and to intermediate-level collected static directories when using the
collectstatic management command.
You should review and manually fix permissions on existing intermediate-level directories.
On Python 3.7+, the intermediate-level directories of the file system cache had
the system’s standard umask rather than
0o077 (no group or others
Fixed wrapping of translated action labels in the admin’s navigation sidebar for East Asian languages (#31853).
Fixed wrapping of long model names in the admin’s navigation sidebar (#31854).
Fixed encoding session data while upgrading multiple instances of the same project to Django 3.1 (#31864).
Adjusted admin’s navigation sidebar template to reduce debug logging when rendering (#31865).
Fixed a data loss possibility in the
select_for_update(). When using
related fields pointing to a proxy model in the
of argument, the
corresponding model was not locked (#31866).
Fixed a data loss possibility, following a regression in Django 2.0, when copying model instances with a cached fields value (#31863).
Fixed a regression in Django 3.1 that caused a crash when decoding an invalid session data (#31895).
Reverted a deprecation in Django 3.1 that caused a crash when passing
deprecated keyword arguments to a queryset in
Enforced thread sensitivity of the
when in an async context (#31905).
__in lookup on key transforms for
JSONField with MariaDB, MySQL, Oracle, and SQLite
Fixed a regression in Django 3.1 that caused permission errors in
settings.py generated by the
startproject command, when user didn’t have permissions to all
intermediate directories in a Django installation path (#31912).
Fixed detecting an async
get_response callable in various builtin
QuerySet.order_by() crash on PostgreSQL when ordering and
JSONField with a custom
decoder (#31956). As a
consequence, fetching a
JSONField with raw SQL now returns a string
instead of pre-loaded data. You will need to explicitly call
in such cases.
QuerySet.delete() crash on MySQL, following a performance
regression in Django 3.1 on MariaDB 10.3.2+, when filtering against an
aggregate function (#31965).
django.contrib.admin.EmptyFieldListFilter crash when using on
reverse relations (#31952).
Prevented content overflowing in the admin changelist view when the navigation sidebar is enabled (#31901).