django.git/django/db/models/sql/query.py, branch stable/6.0.x django http://cgit.adnoto.dev/django.git/atom?h=stable%2F6.0.x 2026-02-03T13:05:34Z [6.0.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods. 2026-02-03T13:05:34Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-21T23:00:13Z urn:sha1:259dff061a9ea85f061ff71c0adb0e07ead693d3 This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main. [6.0.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. 2026-02-03T13:03:39Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:0c0f5c2178c01ada5410cd53b4b207bf7858b952 Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main. [6.0.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. 2025-10-01T12:17:15Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:4ceaaee7e04b416fc465e838a6ef43ca0ccffafe Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases. 2025-09-03T11:10:58Z Jake Howard git@theorangeone.net 2025-08-13T12:13:42Z urn:sha1:51711717098d3f469f795dfa6bc3758b24f69ef7 Thanks Eyal Gabay (EyalSec) for the report. Fixed #36431 -- Returned tuples for multi-column ForeignObject in values()/values_list(). 2025-08-29T19:33:44Z SaJH wogur981208@gmail.com 2025-08-29T15:45:02Z urn:sha1:bb7a7701b1a0e8fffe14dcebf5d5bac7f176c02a Thanks Jacob Walls and Simon Charette for tests. Signed-off-by: SaJH <wogur981208@gmail.com> Refs #36152 -- Suppressed duplicate warning when using "%" in alias via values(). 2025-08-29T17:45:08Z Jacob Walls jacobtylerwalls@gmail.com 2025-08-26T12:54:34Z urn:sha1:2d453a2a683d73c64dc32286685eb40cbca7c425 Fixed #36210, Refs #36181 -- Allowed Subquery usage in further lookups against composite pks. 2025-08-07T12:28:44Z Jacob Walls jacobtylerwalls@gmail.com 2025-05-12T02:04:09Z urn:sha1:fd569dd45bf0746378faf7f65172497f21ed27f0 Follow-up to 8561100425876bde3be4b2a22324655f74ff9609. Co-authored-by: Simon Charette <charette.s@gmail.com> Refs #36500 -- Corrected rewrapped long lines fixed via a script. 2025-07-23T23:17:55Z Mike Edmunds medmunds@gmail.com 2025-07-23T03:44:22Z urn:sha1:78298b51629e14c0e472898b635bc819d47b7f27 Manually reformatted some comments and docstrings where autofix_w505.py changed the meaning of the formatting. Refs #36500 -- Rewrapped long docstrings and block comments via a script. 2025-07-23T23:17:55Z django-bot ops@djangoproject.com 2025-07-23T03:41:41Z urn:sha1:69a93a88edb56ba47f624dac7a21aacc47ea474f Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. Fixed #36152 -- Deprecated use of "%" in column aliases. 2025-06-20T06:25:22Z Jacob Walls jacobtylerwalls@gmail.com 2025-02-18T00:27:21Z urn:sha1:8ede411a81b40ca53362e6788601193c7e56a0cf Unintentional support existed only on SQLite and Oracle.