django.git/django/db/models/sql/query.py, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2026-04-19T08:03:11Z Fixed #37047 -- Fixed crash in Query.orderby_issubset_groupby for descending and random order_by strings. 2026-04-19T08:03:11Z Anže Pečar anze@pecar.me 2026-04-18T11:54:55Z urn:sha1:a284a49153f005f2a7af087025e5112ba06cbd5f Run this example: ```python User.objects.values("is_staff").annotate(latest=Max("date_joined")).order_by("-latest").count() ``` You should see the following exception: ``` django.core.exceptions.FieldError: Cannot resolve keyword '-latest' into field. ``` Regression in 2ce5cb0f7a4618dfdc5f5c10e53e2e9b9543d298. Fixed #20024 -- Fixed handling of __in lookups with None in exclude(). 2026-04-02T15:24:26Z Eddy Adegnandjou adegnandjoueddy12@gmail.com 2025-10-31T08:00:41Z urn:sha1:cec10f992be8eed5ed90506375ae5794cbb7069e Thanks Simon Charette and Tim Graham for reviews, and Jason Hall for a prior iteration. Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods. 2026-02-03T12:56:04Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-21T23:00:13Z urn:sha1:005d60d97c4dfb117503bdb6f2facfcaf9315d84 This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. 2026-02-03T12:55:04Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:e891a84c7ef9962bfcc3b4685690219542f86a22 Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Fixed #36352 -- Improved error message for fields excluded by prior values()/values_list() calls. 2026-01-16T15:28:14Z JaeHyuck Sa wogur981208@gmail.com 2026-01-15T15:29:25Z urn:sha1:0239e86f387127dace7273208c300b33a065e021 Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com> Fixed #36821 -- Treated empty strings as NULL for iexact lookups on Oracle. 2026-01-14T18:31:15Z JaeHyuck Sa wogur981208@gmail.com 2026-01-14T15:09:14Z urn:sha1:4ce4ed72a4ddc7d101df0fd31f1d0e449d8af501 Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com> Fixed #26434 -- Removed faulty clearing of ordering field when missing from explicit grouping. 2025-12-15T20:23:51Z Michal Mládek osvc.04923031@gmail.com 2025-05-26T16:37:34Z urn:sha1:2ce5cb0f7a4618dfdc5f5c10e53e2e9b9543d298 Co-authored-by: Simon Charette <charette.s@gmail.com> Reverted "Fixed #26434 -- Removed faulty clearing of ordering field when missing from explicit grouping." 2025-10-28T15:40:01Z Jacob Walls jacobtylerwalls@gmail.com 2025-10-28T14:43:54Z urn:sha1:43933a1dca07047e95ec990d9289d0212668009e This reverts commit ea3a71c2d09f8281d8a50ed20e40e1fb13db5cd9. The implementation was flawed, as self.group_by contains Cols, not aliases. Fixed #26434 -- Removed faulty clearing of ordering field when missing from explicit grouping. 2025-10-27T19:11:19Z Michal Mládek osvc.04923031@gmail.com 2025-05-26T16:37:34Z urn:sha1:ea3a71c2d09f8281d8a50ed20e40e1fb13db5cd9 Co-authored-by: Simon Charette <charette.s@gmail.com> Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. 2025-10-01T12:11:45Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:41b43c74bda19753c757036673ea9db74acf494a Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.