django.git/django/db/models/sql, branch stable/4.2.x

django.git/django/db/models/sql, branch stable/4.2.x django http://cgit.adnoto.dev/django.git/atom?h=stable%2F4.2.x 2026-02-03T13:26:51Z [4.2.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods. 2026-02-03T13:26:51Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-21T23:00:13Z urn:sha1:881ff2c4830f95fa844d8de5977c06205d45368f This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main. [4.2.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases with periods. 2026-02-03T13:26:22Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-21T22:53:52Z urn:sha1:90f5b10784ba5bf369caed87640e2b4394ea3314 Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews. Backport of 69065ca869b0970dff8fdd8fafb390bf8b3bf222 from main. [4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. 2026-02-03T13:25:58Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:f75f8f3597e1ce351d5ac08b6ba7ebd9dadd9b5d Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main. [4.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. 2025-10-01T13:05:20Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5 Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. [4.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases. 2025-09-03T11:39:26Z Jake Howard git@theorangeone.net 2025-08-13T12:13:42Z urn:sha1:31334e6965ad136a5e369993b01721499c5d1a92 Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main. [4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields. 2024-07-31T14:12:35Z Simon Charette charette.s@gmail.com 2024-07-25T16:19:13Z urn:sha1:f4af67b9b41e0f4c117a8741da3abbd1c869ab28 Thanks Eyal (eyalgabay) for the report. [4.2.x] Fixed #34975 -- Fixed crash of conditional aggregate() over aggregations. 2023-11-18T15:53:24Z Simon Charette charette.s@gmail.com 2023-11-18T00:42:44Z urn:sha1:acf4cee95144c55a12492cdd71fa795d7accfe26 Adjustments made to solve_lookup_type to defer the resolving of references for summarized aggregates failed to account for similar requirements for lookup values which can also reference annotations through Aggregate.filter. Regression in b181cae2e3697b2e53b5b67ac67e59f3b05a6f0d. Refs #25307. Thanks Sergey Nesterenko for the report. Backport of 7530cf3900ab98104edcde69e8a2a415e82b345a from main [4.2.x] Fixed #34798 -- Fixed QuerySet.aggregate() crash when referencing expressions containing subqueries. 2023-10-16T04:15:36Z Simon Charette charette.s@gmail.com 2023-10-16T01:59:15Z urn:sha1:803caec60bed3b282b9f9961860a467160c0c8f1 Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7, complements e5c844d6f2a4ac6ae674d741b5f1fa2a688cedf4. Refs #28477, #34551. Thanks Haldun Komsuoglu for the report. Backport of 3b4a571275d967512866012955eb0b3ae486d63c from main [4.2.x] Fixed #34750 -- Fixed QuerySet.count() when grouping by unused multi-valued annotations. 2023-08-01T14:17:06Z Mariusz Felisiak felisiak.mariusz@gmail.com 2023-08-01T14:16:28Z urn:sha1:8808d9da6b11b8aa32d750265217721450b0fb1f Thanks Toan Vuong for the report. Thanks Simon Charette for the review. Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Backport of c9b9a52edc66be117c6e5b5214fa788a4d5db7a8 from main [4.2.x] Fixed #34717 -- Fixed QuerySet.aggregate() crash when referencing window functions. 2023-07-19T07:06:16Z Simon Charette charette.s@gmail.com 2023-07-17T16:51:54Z urn:sha1:7a67b065d7e5653f3af1cbd28882d33d2a088b02 Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Refs #28477. Thanks younes-chaoui for the report. Backport of 68912e4f6f84f21322f92a2c7b6c77f68f91b9c9 from main