django http://cgit.adnoto.dev/django.git/atom?h=main 2026-04-18T06:53:21Z 2026-04-18T06:53:21Z Mariusz Felisiak felisiak.mariusz@gmail.com 2026-04-18T06:53:21Z urn:sha1:ed79c5959add54b6e8ea589ec601e0d2e801517e 2026-02-10T21:47:44Z varunkasyap varunkasyap@hotmail.com 2026-02-02T08:20:16Z urn:sha1:3282d9f4edbe5d341a0fa2a8c62b435b3885ab64 2026-02-03T12:55:04Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:e891a84c7ef9962bfcc3b4685690219542f86a22 Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. 2025-11-24T11:14:38Z Simon Charette charette.s@gmail.com 2025-11-24T11:14:38Z urn:sha1:2a6e0bd72d4a69725b957d6748a4b834f21b12b5 Regression in b8e5a8a9a2a767f584cbe89a878a42363706f939. Refs #36404. The replace_expressions method was innapropriately dealing with falsey but not None source expressions causing them to also be potentially evaluated when __bool__ was invoked (e.g. QuerySet.__bool__ evaluates the queryset). The changes introduced in b8e5a8a9a2, which were to deal with a similar issue, surfaced the problem as aggregation over an annotated queryset requires an inlining (or pushdown) of aggregate references which is achieved through replace_expressions. In cases where an empty Q object was provided as an aggregate filter, such as when the admin facetting feature was used as reported, it would wrongly be turned into None, instead of an empty WhereNode, causing a crash at aggregate filter compilation. Note that the crash signature differed depending on whether or not the backend natively supports aggregate filtering (supports_aggregate_filter_clause) as the fallback, which makes use Case / When expressions, would result in a TypeError instead of a NoneType AttributeError. Thanks Rafael Urben for the report, Antoliny and Youngkwang Yang for the triage. 2025-10-01T12:11:45Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:41b43c74bda19753c757036673ea9db74acf494a Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. 2025-07-23T23:17:55Z django-bot ops@djangoproject.com 2025-07-23T03:41:41Z urn:sha1:69a93a88edb56ba47f624dac7a21aacc47ea474f Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. 2025-05-23T14:15:59Z Adam Johnson me@adamj.eu 2025-05-21T12:48:59Z urn:sha1:c2615a050036eda0bca090c707191076220cee9f co-authored-by: Simon Charette <charette.s@gmail.com> 2025-05-23T13:17:20Z Adam Johnson me@adamj.eu 2025-05-21T14:16:12Z urn:sha1:b8e5a8a9a2a767f584cbe89a878a42363706f939 Regression in a76035e925ff4e6d8676c65cb135c74b993b1039. Thank you to Simon Charette for the review. co-authored-by: Simon Charette <charette.s@gmail.com> 2025-05-23T09:19:31Z Simon Charette charette.s@gmail.com 2025-05-23T05:00:29Z urn:sha1:ec7f0bcf79dec7412d00d48e43c995a45b3b7b70 Unless an explicit order_by is specified for the test the ordering of the aggregation results is undefined. 2025-05-20T08:01:42Z ontowhee 82607723+ontowhee@users.noreply.github.com 2025-03-16T02:23:28Z urn:sha1:ddb85294159185c5bd5cae34c9ef735ff8409bfe Thanks Simon Charette for the guidance and review. Thanks Tim Schilling for the documentation review. Thanks David Wobrock for investigation and solution proposals.