django http://cgit.adnoto.dev/django.git/atom?h=stable%2F5.2.x 2026-02-03T13:19:02Z 2026-02-03T13:19:02Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-21T23:00:13Z urn:sha1:ab0ad8d39555292b55123adeac57ed64c776f8d9 This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main. 2026-02-03T13:17:34Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:3e68ccdc11c127758745ddf0b4954990b14892bc Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main. 2025-10-01T12:24:18Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:52fbae0a4dbbe5faa59827f8f05694a0065cc135 Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. 2025-09-03T11:15:55Z Jake Howard git@theorangeone.net 2025-08-13T12:13:42Z urn:sha1:4c044fcc866ec226f612c475950b690b0139d243 Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main. 2025-08-29T19:36:09Z SaJH wogur981208@gmail.com 2025-08-29T15:45:02Z urn:sha1:ace59cb83b87a4fdeab29424ea134e78de24fb27 Thanks Jacob Walls and Simon Charette for tests. Signed-off-by: SaJH <wogur981208@gmail.com> Backport of bb7a7701b1a0e8fffe14dcebf5d5bac7f176c02a from main 2025-05-16T06:21:18Z Jacob Walls jacobtylerwalls@gmail.com 2025-05-15T02:49:52Z urn:sha1:6228a35095d06fecf55bc1a3308ab4d46cc2d57b Backport of 994dc6d8a1bae717baa236b65e11cf91ce181c53 from main. 2025-04-05T19:38:06Z Simon Charette charette.s@gmail.com 2025-04-04T14:18:27Z urn:sha1:cd1aa54f5a1ad8673f8852aa3b0022c06b154b79 Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Jeff Iadarola for the report and tests. Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com> Backport of 12b771a1ec4bbfe82405176f5601e6441855a303 from main 2025-04-03T16:35:11Z Simon Charette charette.s@gmail.com 2025-04-03T03:20:53Z urn:sha1:317690403a40fbaf52c6abcbc8d39f199c9b5102 Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900 Thanks Patrick Altman for the report. Backport of 543e17c4405dfdac4f18759fc78b190406d14239 from main 2025-02-11T08:16:44Z Simon Charette charette.s@gmail.com 2025-01-28T04:10:13Z urn:sha1:dc1c9b4ddd3ca64279da7c97b5023fbedf2340e2 Non-tuple exact and in lookups have specialized logic for subqueries that can be adapted to properly assign select mask if unspecified and ensure the number of involved members are matching on both side of the operator. Backport of 41239fe34d64e801212dccaa4585e4802d0fac68 from main. 2025-02-06T13:31:32Z Simon Charette charette.s@gmail.com 2025-01-14T05:18:30Z urn:sha1:8aea6b802ced18a54f00db71c53e09c643f7514c The original queryset._next_is_sticky() call never had the intended effect as no further filtering was applied internally after the pk__in lookup making it a noop. In order to be coherent with how related filters are applied when retrieving objects from a related manager the effects of what calling _next_is_sticky() prior to applying annotations and filters to the queryset provided for prefetching are emulated by allowing the reuse of all pre-existing JOINs. Thanks David Glenck and Thiago Bellini Ribeiro for the detailed reports and tests. Backport of 2598b371a93e21d84b7a2a99b2329535c8c0c138 from main.