django.git/tests/annotations, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2026-03-19T16:24:17Z Refs #36795 -- Removed unnecessary prohibits_dollar_signs_in_column_aliases feature flag. 2026-03-19T16:24:17Z Simon Charette charette.s@gmail.com 2026-02-01T22:02:49Z urn:sha1:5146449a38222dc74f8f1ba88a7a7ef681e93101 Now that user provided aliases are systematically quoted there is no need to disallow the usage of the dollar sign on Postgres. Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. 2026-02-03T12:55:04Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:e891a84c7ef9962bfcc3b4685690219542f86a22 Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Fixed #36352 -- Improved error message for fields excluded by prior values()/values_list() calls. 2026-01-16T15:28:14Z JaeHyuck Sa wogur981208@gmail.com 2026-01-15T15:29:25Z urn:sha1:0239e86f387127dace7273208c300b33a065e021 Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com> Added DatabaseFeatures.prohibits_dollar_signs_in_column_aliases. 2025-12-04T16:37:22Z Tim Graham timograham@gmail.com 2025-12-03T23:06:53Z urn:sha1:17d644c8e257c2ea5cc738fb7a9c47989e29bf09 This is also applicable on CockroachDB. Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL injection in column aliases on PostgreSQL. 2025-12-02T12:21:07Z Jacob Walls jacobtylerwalls@gmail.com 2025-11-17T22:09:54Z urn:sha1:5b90ca1e7591fa36fccf2d6dad67cf1477e6293e Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews. Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. 2025-10-01T12:11:45Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:41b43c74bda19753c757036673ea9db74acf494a Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Fixed #36480 -- Made values() resolving error mention unselected aliases. 2025-09-22T12:35:53Z Shubham Singh ssingh@multimediallc.com 2025-09-11T19:47:05Z urn:sha1:dce1b9c2de00a3385c029c02dca325f44e7697a4 Follow-up to cb13792938f2c887134eb6b5164d89f8d8f9f1bd. Refs #34437. Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases. 2025-09-03T11:10:58Z Jake Howard git@theorangeone.net 2025-08-13T12:13:42Z urn:sha1:51711717098d3f469f795dfa6bc3758b24f69ef7 Thanks Eyal Gabay (EyalSec) for the report. Refs #36210 -- Added missing limits in Subquery tests. 2025-08-07T12:28:44Z Jacob Walls jacobtylerwalls@gmail.com 2025-05-12T00:38:28Z urn:sha1:de7bb7eab84dc53a7117127ad8eec44970efc509 Refs #36500 -- Shortened some long docstrings and comments. 2025-07-23T23:17:55Z Mike Edmunds medmunds@gmail.com 2025-07-23T03:40:48Z urn:sha1:55b0cc21310b76ce4018dd793ba50556eaf0af06 Manually reformatted some long docstrings and comments that would be damaged by the to-be-applied autofixer script, in cases where editorial judgment seemed necessary for style or wording changes.