django.git/django/db/models/sql, branch stable/5.2.x

[5.2.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods.

2026-02-03T13:19:02Z

This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.

[5.2.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases with periods.

2026-02-03T13:18:30Z

Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews. Backport of 69065ca869b0970dff8fdd8fafb390bf8b3bf222 from main.

[5.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.

2026-02-03T13:17:34Z

Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.

[5.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.

2025-10-01T12:24:18Z

Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.

[5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.

2025-09-03T11:15:55Z

Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.

[5.2.x] Fixed #36431 -- Returned tuples for multi-column ForeignObject in values()/values_list().

2025-08-29T19:36:09Z

Thanks Jacob Walls and Simon Charette for tests. Signed-off-by: SaJH Backport of bb7a7701b1a0e8fffe14dcebf5d5bac7f176c02a from main

[5.2.x] Fixed #36392 -- Raised ValueError when subquery referencing composite pk selects too many columns.

2025-05-16T06:21:18Z

Backport of 994dc6d8a1bae717baa236b65e11cf91ce181c53 from main.

[5.2.x] Fixed #36301 -- Fixed select_for_update(of) crash when using values()/values_list().

2025-04-07T21:49:23Z

Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which allowed for annotations to be SELECT'ed before model field references through values()/values_list() and broke assumptions the select_for_update(of) table infererence logic had about model fields always being first. Refs #28900. Thanks OutOfFocus4 for the report and Sarah for the test. Backport of 71a19a0e475165dbc14c1fe02f552013ee670e4c from main

[5.2.x] Fixed #36299 -- Prevented field selection on QuerySet.alias() after values().

2025-04-05T19:38:06Z

Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Jeff Iadarola for the report and tests. Co-Authored-By: OutOfFocus4 Backport of 12b771a1ec4bbfe82405176f5601e6441855a303 from main

[5.2.x] Fixed #36292 -- Fixed crash when aggregating over a group mixing transforms and references.

2025-04-03T16:35:11Z

Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900 Thanks Patrick Altman for the report. Backport of 543e17c4405dfdac4f18759fc78b190406d14239 from main