django.git/django/db/models/sql/query.py, branch 4.0.6

django.git/django/db/models/sql/query.py, branch 4.0.6 django http://cgit.adnoto.dev/django.git/atom?h=4.0.6 2022-04-11T07:02:58Z [4.0.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL. 2022-04-11T07:02:58Z Mariusz Felisiak felisiak.mariusz@gmail.com 2022-04-01T11:48:47Z urn:sha1:00b0fc50e1738c7174c495464a5ef069408a4402 Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main. [4.0.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases. 2022-04-11T07:02:14Z Mariusz Felisiak felisiak.mariusz@gmail.com 2022-04-01T06:10:22Z urn:sha1:800828887a0509ad1162d6d407e94d8de7eafc60 Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report. Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main. [4.0.x] Fixed #33598 -- Reverted "Removed unnecessary reuse_with_filtered_relation argument from Query methods." 2022-03-30T05:32:38Z Mariusz Felisiak felisiak.mariusz@gmail.com 2022-03-30T05:31:56Z urn:sha1:7d540d67a8fb17f820e1657ccb1509af86b27582 Thanks lind-marcus for the report. This reverts commit 0c71e0f9cfa714a22297ad31dd5613ee548db379. Regression in 0c71e0f9cfa714a22297ad31dd5613ee548db379. Backport of fac662f4798f7e4e0ed9be6b4fb4a87a80810a68 from main [4.0.x] Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-08T18:25:02Z Mariusz Felisiak felisiak.mariusz@gmail.com 2022-02-08T11:27:04Z urn:sha1:3278c31fa59b41d03aea167f4cf85f4ddf7f848d Backport of 7119f40c9881666b6f9b5cf7df09ee1d21cc8344 from main. [4.0.x] Refs #33476 -- Reformatted code with Black. 2022-02-08T11:15:38Z django-bot ops@djangoproject.com 2022-02-08T11:09:55Z urn:sha1:6a682b38e75d4c975b4c4493565a59f1bc14397c Backport of 9c19aff7c7561e3a82978a272ecdaad40dda5c00 from main. [4.0.x] Refs #33476 -- Refactored problematic code before reformatting by Black. 2022-02-03T10:38:46Z Mariusz Felisiak felisiak.mariusz@gmail.com 2022-02-03T10:20:46Z urn:sha1:d55a1e5809b424907528af42bfdfc2991ef11651 In these cases Black produces unexpected results, e.g. def make_random_password( self, length=10, allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789', ): or cursor.execute(""" SELECT ... """, [table name], ) Backport of c5cd8783825b5f6384417dac5f3889b4210b7d08 from main. [4.0.x] Fixed #33018 -- Fixed annotations with empty queryset. 2021-09-29T18:53:16Z David Wobrock david.wobrock@gmail.com 2021-09-28T22:00:50Z urn:sha1:b2a0978610413e4cd5ebb716b8bfa7803dff8d5b Thanks Simon Charette for the review and implementation idea. Backport of dd1fa3a31b4680c0d3712e6ae122b878138580c7 from main [4.0.x] Fixed #33141 -- Renamed Expression.empty_aggregate_value to empty_result_set_value. 2021-09-29T18:52:59Z David Wobrock david.wobrock@gmail.com 2021-09-24T20:05:02Z urn:sha1:aab76433ed585ebe997b94547e0d790605e01ad9 Backport of ad36a198a12df4dff65992191b3eb0a474e2daac from main Refs #27624 -- Optimized Query.clone() for non-combined queries. 2021-09-20T10:34:18Z Keryn Knight keryn@kerynknight.com 2021-09-16T10:03:04Z urn:sha1:5353e7c2505c0d0ab8232ad9c131b3c99c833988 This avoids constructing a generator expression and a new tuple if the Query has no combined queries. Refs #27624 -- Changed Query.explain_info to namedtuple. 2021-09-17T05:15:12Z Adam Johnson me@adamj.eu 2021-09-14T17:08:19Z urn:sha1:fc91ea1e50e5ef207f0f291b3f6c1942b10db7c7