django.git/tests/expressions/test_queryset_values.py, branch stable/4.2.xdjango
http://cgit.adnoto.dev/django.git/atom?h=stable%2F4.2.x2026-02-03T13:25:58Z[4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.2026-02-03T13:25:58ZJake Howardgit@theorangeone.net2026-01-21T11:14:48Zurn:sha1:f75f8f3597e1ce351d5ac08b6ba7ebd9dadd9b5d
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
[4.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.2025-10-01T13:05:20ZMariusz Felisiakfelisiak.mariusz@gmail.com2025-09-10T07:53:52Zurn:sha1:38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
[4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.2024-07-31T14:12:35ZSimon Charettecharette.s@gmail.com2024-07-25T16:19:13Zurn:sha1:f4af67b9b41e0f4c117a8741da3abbd1c869ab28
Thanks Eyal (eyalgabay) for the report.
Relaxed some query ordering assertions in various tests.2022-04-14T10:12:13ZMariusz Felisiakfelisiak.mariusz@gmail.com2022-04-14T10:12:13Zurn:sha1:1760ad4e8cdbf34a0f38deae300460a0b9c38eac
It accounts for differences seen on MySQL with MyISAM storage engine.Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.2022-04-11T06:59:33ZMariusz Felisiakfelisiak.mariusz@gmail.com2022-04-01T06:10:22Zurn:sha1:93cae5cb2f9a4ef1514cf1a41f714fef08005200
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
Refs #33476 -- Reformatted code with Black.2022-02-07T19:37:05Zdjango-botops@djangoproject.com2022-02-03T19:24:19Zurn:sha1:9c19aff7c7561e3a82978a272ecdaad40dda5c00Simplified imports from django.db and django.contrib.gis.db.2020-02-04T12:20:06ZNick Popenick.pope@flightdataservices.com2019-08-20T07:54:41Zurn:sha1:335c9c94acf263901fb023404408880245b0c4b4Refs #23919 -- Removed encoding preambles and future imports2017-01-18T08:55:19ZClaude Parozclaude@2xlibre.net2016-11-19T17:19:41Zurn:sha1:d7b9aaa366dd54ecc3142c588162e3adc7c2f7acFixed #25871 -- Added expressions support to QuerySet.values().2016-08-18T20:05:15ZIan Footepython@ian.feete.org2016-08-15T01:35:12Zurn:sha1:39f35d4b9de223b72c67bb1d12e65669b4e1355b