django http://cgit.adnoto.dev/django.git/atom?h=stable%2F5.2.x 2026-02-03T13:17:34Z 2026-02-03T13:17:34Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:3e68ccdc11c127758745ddf0b4954990b14892bc Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main. 2025-12-02T12:27:34Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-17T22:09:54Z urn:sha1:479415ce5249bcdebeb6570c72df2a87f45a7bbf Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews. Backport of 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e from main. 2025-10-01T12:24:18Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:52fbae0a4dbbe5faa59827f8f05694a0065cc135 Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. 2025-09-03T11:15:55Z Jake Howard git@theorangeone.net 2025-08-13T12:13:42Z urn:sha1:4c044fcc866ec226f612c475950b690b0139d243 Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main. 2025-04-05T19:38:06Z Simon Charette charette.s@gmail.com 2025-04-04T14:18:27Z urn:sha1:cd1aa54f5a1ad8673f8852aa3b0022c06b154b79 Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Jeff Iadarola for the report and tests. Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com> Backport of 12b771a1ec4bbfe82405176f5601e6441855a303 from main 2025-01-30T11:18:08Z Vinko Mlačić vinkomlacic@outlook.com 2025-01-28T21:57:32Z urn:sha1:d567e3a52e8b3ef0f830e07b602ae1382657eb07 Regression in ed0cbc8d8b314e3b4a0305d0be3cf366d8ee4a74. Backport of c6ace896a2da73356f7c9a655bbe32a0e3ce0435 from main. 2024-08-12T13:35:19Z Devin Cox dcox@surefyre.co 2024-08-09T20:56:56Z urn:sha1:e03083917db03757e48f8edac4c8491b72c8a3c4 Aggregation optimization didn't account for not referenced set-returning annotations on Postgres. Co-authored-by: Simon Charette <charette.s@gmail.com> 2024-07-03T14:36:25Z Simon Charette charette.s@gmail.com 2023-03-28T04:13:00Z urn:sha1:65ad4ade74dc9208b9d686a451cd6045df0c9c3a Previously the order was always extra_fields + model_fields + annotations with respective local ordering inferred from the insertion order of *selected. This commits introduces a new `Query.selected` propery that keeps tracks of the global select order as specified by on values assignment. This is crucial feature to allow the combination of queries mixing annotations and table references. It also allows the removal of the re-ordering shenanigans perform by ValuesListIterable in order to re-map the tuples returned from the database backend to the order specified by values_list() as they'll be in the right order at query compilation time. Refs #28553 as the initially reported issue that was only partially fixed for annotations by d6b6e5d0fd4e6b6d0183b4cf6e4bd4f9afc7bf67. Thanks Mariusz Felisiak and Sarah Boyce for review. 2023-03-25T19:22:45Z Simon Charette charette.s@gmail.com 2023-03-25T19:22:45Z urn:sha1:cb13792938f2c887134eb6b5164d89f8d8f9f1bd While the add_fields() call from set_values() does trigger validation it does so after annotations are masked resulting in them being excluded from the choices of valid options surfaced through a FieldError. 2023-01-26T18:54:48Z Raj Desai rajdesai024@gmail.com 2023-01-19T21:45:05Z urn:sha1:246eb4836a6fb967880f838aa0d22ecfdca8b6f1 Thanks Simon Charette for reviews.