django.git/tests/aggregation/tests.py, branch stable/5.2.x

django.git/tests/aggregation/tests.py, branch stable/5.2.x django http://cgit.adnoto.dev/django.git/atom?h=stable%2F5.2.x 2026-02-03T13:17:34Z [5.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. 2026-02-03T13:17:34Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:3e68ccdc11c127758745ddf0b4954990b14892bc Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main. [5.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. 2025-10-01T12:24:18Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:52fbae0a4dbbe5faa59827f8f05694a0065cc135 Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. [5.2.x] Fixed #36292 -- Fixed crash when aggregating over a group mixing transforms and references. 2025-04-03T16:35:11Z Simon Charette charette.s@gmail.com 2025-04-03T03:20:53Z urn:sha1:317690403a40fbaf52c6abcbc8d39f199c9b5102 Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900 Thanks Patrick Altman for the report. Backport of 543e17c4405dfdac4f18759fc78b190406d14239 from main Fixed #36051 -- Declared arity on aggregate functions. 2025-01-14T15:47:07Z Jacob Walls jacobtylerwalls@gmail.com 2025-01-01T20:27:52Z urn:sha1:d206d4c200d71c0847e7f6720d88c587e7b46843 Follow-up to 4a66a69239c493c05b322815b18c605cd4c96e7c. Added supports_select_union skips in queries and aggregation tests. 2024-08-26T15:53:08Z Tim Graham timograham@gmail.com 2024-08-20T14:29:35Z urn:sha1:6a85c888bff84134ed674ddfef935e0a9906fc9f Fixed #35643 -- Fixed a crash when ordering a QuerySet by a reference containing "__". 2024-08-02T19:21:12Z Simon Charette charette.s@gmail.com 2024-08-02T19:21:12Z urn:sha1:a16f13a8661297eda12c4177bb01fa2e5b5ccc56 Regression in b0ad41198b3e333f57351e3fce5a1fb47f23f376. Refs #34013. The initial logic did not consider that annotation aliases can include lookup or transform separators. Thanks Gert Van Gool for the report and Mariusz Felisiak for the review. Refs #35339 -- Updated Aggregate class to return consistent source expressions. 2024-04-25T20:40:03Z Chris Muthig camuthig@gmail.com 2024-04-03T22:06:39Z urn:sha1:42b567ab4c5bfb1bbd3e629b1079271c5ae44ea0 Refactored the filter and order_by expressions in the Aggregate class to return a list of Expression (or None) values, ensuring that the list item is always available and represents the filter expression. For the PostgreSQL OrderableAggMixin, the returned list will always include the filter and the order_by value as the last two elements. Lastly, emtpy Q objects passed directly into aggregate objects using Aggregate.filter in admin facets are filtered out when resolving the expression to avoid errors in get_refs(). Thanks Simon Charette for the review. Fixed #35042 -- Fixed a count() crash on combined queries. 2023-12-16T19:19:24Z Simon Charette charette.s@gmail.com 2023-12-16T02:00:59Z urn:sha1:77278929c86168f075600d9d8c8e76a4792e672b Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Thanks Marcin for the report. Refs #34013 -- Registered instance lookups as documented in tests. 2023-12-16T19:05:36Z Simon Charette charette.s@gmail.com 2023-12-16T19:05:36Z urn:sha1:eea4f92f9aa57d1b25f1c28d11c3b5a6a5841e82 Fixed #34013 -- Added QuerySet.order_by() support for annotation transforms. 2023-12-12T04:51:33Z Simon Charette charette.s@gmail.com 2023-12-08T07:03:14Z urn:sha1:b0ad41198b3e333f57351e3fce5a1fb47f23f376 Thanks Eugene Morozov and Ben Nace for the reports.