May 4, 2021
Django 3.2.1 fixes a security issue and several bugs in 3.2.
directory-traversal via uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is now applied.
SmallAutoFieldwere not allowed for the
difference()when it was ordered by an unannotated field (#32627).
ModelAdmin.search_fieldswhen searching against phrases with unbalanced quotes (#32649).
Q()objects which contains boolean expressions (#32548).
QuerySet.update()on a queryset ordered by inherited or joined fields on MySQL and MariaDB (#32645).
django.contrib.messages.storage.cookie.CookieStorage, in the pre-Django 3.2 format (#32643).
STATICFILES_DIRSsetting with a list of 2-tuples of
exclude()multi-valued relationships (#32650).
distinct()is not allowed in Django 3.2 to address a data loss possibility.
dbshellcommand on PostgreSQL (#32687).
django.db.sql.query.Queryequality is removed.