django.git/django/db/models/sql/query.py, branch 6.0rc1django
http://cgit.adnoto.dev/django.git/atom?h=6.0rc12025-10-01T12:17:15Z[6.0.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.2025-10-01T12:17:15ZMariusz Felisiakfelisiak.mariusz@gmail.com2025-09-10T07:53:52Zurn:sha1:4ceaaee7e04b416fc465e838a6ef43ca0ccffafe
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.2025-09-03T11:10:58ZJake Howardgit@theorangeone.net2025-08-13T12:13:42Zurn:sha1:51711717098d3f469f795dfa6bc3758b24f69ef7
Thanks Eyal Gabay (EyalSec) for the report.
Fixed #36431 -- Returned tuples for multi-column ForeignObject in values()/values_list().2025-08-29T19:33:44ZSaJHwogur981208@gmail.com2025-08-29T15:45:02Zurn:sha1:bb7a7701b1a0e8fffe14dcebf5d5bac7f176c02a
Thanks Jacob Walls and Simon Charette for tests.
Signed-off-by: SaJH <wogur981208@gmail.com>
Refs #36152 -- Suppressed duplicate warning when using "%" in alias via values().2025-08-29T17:45:08ZJacob Wallsjacobtylerwalls@gmail.com2025-08-26T12:54:34Zurn:sha1:2d453a2a683d73c64dc32286685eb40cbca7c425Fixed #36210, Refs #36181 -- Allowed Subquery usage in further lookups against composite pks.2025-08-07T12:28:44ZJacob Wallsjacobtylerwalls@gmail.com2025-05-12T02:04:09Zurn:sha1:fd569dd45bf0746378faf7f65172497f21ed27f0
Follow-up to 8561100425876bde3be4b2a22324655f74ff9609.
Co-authored-by: Simon Charette <charette.s@gmail.com>
Refs #36500 -- Corrected rewrapped long lines fixed via a script.2025-07-23T23:17:55ZMike Edmundsmedmunds@gmail.com2025-07-23T03:44:22Zurn:sha1:78298b51629e14c0e472898b635bc819d47b7f27
Manually reformatted some comments and docstrings where autofix_w505.py
changed the meaning of the formatting.
Refs #36500 -- Rewrapped long docstrings and block comments via a script.2025-07-23T23:17:55Zdjango-botops@djangoproject.com2025-07-23T03:41:41Zurn:sha1:69a93a88edb56ba47f624dac7a21aacc47ea474f
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
Fixed #36152 -- Deprecated use of "%" in column aliases.2025-06-20T06:25:22ZJacob Wallsjacobtylerwalls@gmail.com2025-02-18T00:27:21Zurn:sha1:8ede411a81b40ca53362e6788601193c7e56a0cf
Unintentional support existed only on SQLite and Oracle.
Fixed #36442 -- Cloned FilteredRelation before rename_prefix_from_q.2025-06-12T06:36:54Zviliam mihalikviliam.mihalik@smartbase.sk2025-06-05T21:53:01Zurn:sha1:bd65e82831304ede92af6e9f0807daa3a874efc0Fixed #36392 -- Raised ValueError when subquery referencing composite pk selects too many columns.2025-05-16T06:19:38ZJacob Wallsjacobtylerwalls@gmail.com2025-05-15T02:49:52Zurn:sha1:994dc6d8a1bae717baa236b65e11cf91ce181c53