django.git/tests/expressions/test_queryset

django.git/tests/expressions/test_queryset_values.py, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2026-02-03T12:55:04Z Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. 2026-02-03T12:55:04Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:e891a84c7ef9962bfcc3b4685690219542f86a22 Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. 2025-10-01T12:11:45Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:41b43c74bda19753c757036673ea9db74acf494a Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Refs #36152 -- Suppressed duplicate warning when using "%" in alias via values(). 2025-08-29T17:45:08Z Jacob Walls jacobtylerwalls@gmail.com 2025-08-26T12:54:34Z urn:sha1:2d453a2a683d73c64dc32286685eb40cbca7c425 Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields. 2024-08-06T06:50:08Z Simon Charette charette.s@gmail.com 2024-07-25T16:19:13Z urn:sha1:c87bfaacf8fb84984243b5055dc70f97996cb115 Thanks Eyal (eyalgabay) for the report. Relaxed some query ordering assertions in various tests. 2022-04-14T10:12:13Z Mariusz Felisiak felisiak.mariusz@gmail.com 2022-04-14T10:12:13Z urn:sha1:1760ad4e8cdbf34a0f38deae300460a0b9c38eac It accounts for differences seen on MySQL with MyISAM storage engine. Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases. 2022-04-11T06:59:33Z Mariusz Felisiak felisiak.mariusz@gmail.com 2022-04-01T06:10:22Z urn:sha1:93cae5cb2f9a4ef1514cf1a41f714fef08005200 Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report. Refs #33476 -- Reformatted code with Black. 2022-02-07T19:37:05Z django-bot ops@djangoproject.com 2022-02-03T19:24:19Z urn:sha1:9c19aff7c7561e3a82978a272ecdaad40dda5c00 Simplified imports from django.db and django.contrib.gis.db. 2020-02-04T12:20:06Z Nick Pope nick.pope@flightdataservices.com 2019-08-20T07:54:41Z urn:sha1:335c9c94acf263901fb023404408880245b0c4b4 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18T08:55:19Z Claude Paroz claude@2xlibre.net 2016-11-19T17:19:41Z urn:sha1:d7b9aaa366dd54ecc3142c588162e3adc7c2f7ac Fixed #25871 -- Added expressions support to QuerySet.values(). 2016-08-18T20:05:15Z Ian Foote python@ian.feete.org 2016-08-15T01:35:12Z urn:sha1:39f35d4b9de223b72c67bb1d12e65669b4e1355b