django.git/django/db/models/sql, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2026-04-19T08:03:11Z Fixed #37047 -- Fixed crash in Query.orderby_issubset_groupby for descending and random order_by strings. 2026-04-19T08:03:11Z Anže Pečar anze@pecar.me 2026-04-18T11:54:55Z urn:sha1:a284a49153f005f2a7af087025e5112ba06cbd5f Run this example: ```python User.objects.values("is_staff").annotate(latest=Max("date_joined")).order_by("-latest").count() ``` You should see the following exception: ``` django.core.exceptions.FieldError: Cannot resolve keyword '-latest' into field. ``` Regression in 2ce5cb0f7a4618dfdc5f5c10e53e2e9b9543d298. Fixed #20024 -- Fixed handling of __in lookups with None in exclude(). 2026-04-02T15:24:26Z Eddy Adegnandjou adegnandjoueddy12@gmail.com 2025-10-31T08:00:41Z urn:sha1:cec10f992be8eed5ed90506375ae5794cbb7069e Thanks Simon Charette and Tim Graham for reviews, and Jason Hall for a prior iteration. Refs #36795 -- Deprecated SQLCompiler.quote_name_unless_alias(). 2026-03-19T16:24:17Z Simon Charette charette.s@gmail.com 2026-03-16T03:31:18Z urn:sha1:1786cd881ff4ad9458d56180ae555d92c14e5af8 It has been superseded with .quote_name(), which ensures aliases are always quoted. Fixed #36795 -- Enforced quoting of all database object names. 2026-03-19T16:24:17Z Simon Charette charette.s@gmail.com 2026-02-01T21:53:54Z urn:sha1:f05fac88c4699c6d04a8f1ac3328cf6c7bd39228 This ensures all database identifiers are quoted independently of their orign and most importantly that user provided aliases through annotate() and alias() which paves the way for dropping the allow list of characters such aliases can contain. This will require adjustments to raw SQL interfaces such as RawSQL that might make reference to ORM managed annotations as these will now be quoted. The `SQLCompiler.quote_name_unless_alias` method is kept for now as an alias for the newly introduced `.quote_name` method but will be duly deprecated in a follow up commit. Fixed #36727 -- Deprecated Field.get_placeholder in favor of get_placeholder_sql. 2026-03-13T00:01:02Z Simon Charette charette.s@gmail.com 2025-11-22T18:32:34Z urn:sha1:1a8fd5cf75bf855852f6bc2f75c3da9f7b145669 The lack of ability of the get_placeholder call chain to return SQL and parameters separated so they can be mogrified by the backend at execution time forced implementations to dangerously interpolate potentially user controlled values. The get_placeholder_sql name was chosen due to its proximity to the previous method, but other options such as Field.as_sql were considered but ultimately rejected due to its different input signature compared to Expression.as_sql that might have lead to confusion. There is a lot of overlap between what Field.get_db_prep_value and get_placeholder_sql do but folding the latter in the former would require changing its return signature to return expression which is a way more invasive change than what is proposed here. Given we always call get_db_prep_value it might still be an avenue worth exploring in the future to offer a publicly documented interface to allow field to take an active part in the compilation chain. Thanks Jacob for the review. Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods. 2026-02-03T12:56:04Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-21T23:00:13Z urn:sha1:005d60d97c4dfb117503bdb6f2facfcaf9315d84 This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases with periods. 2026-02-03T12:55:33Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-21T22:53:52Z urn:sha1:69065ca869b0970dff8fdd8fafb390bf8b3bf222 Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews. Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. 2026-02-03T12:55:04Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:e891a84c7ef9962bfcc3b4685690219542f86a22 Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Fixed #36352 -- Improved error message for fields excluded by prior values()/values_list() calls. 2026-01-16T15:28:14Z JaeHyuck Sa wogur981208@gmail.com 2026-01-15T15:29:25Z urn:sha1:0239e86f387127dace7273208c300b33a065e021 Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com> Fixed #36821 -- Treated empty strings as NULL for iexact lookups on Oracle. 2026-01-14T18:31:15Z JaeHyuck Sa wogur981208@gmail.com 2026-01-14T15:09:14Z urn:sha1:4ce4ed72a4ddc7d101df0fd31f1d0e449d8af501 Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>