django http://cgit.adnoto.dev/django.git/atom?h=main 2026-04-27T19:49:14Z 2026-04-27T19:49:14Z Tim Graham timograham@gmail.com 2026-04-25T11:07:01Z urn:sha1:a49be25e6128a3272960ed4f6f6506d147596395 This allows backends that don't support extra() to skip it. 2026-04-02T15:24:26Z Eddy Adegnandjou adegnandjoueddy12@gmail.com 2025-10-31T08:00:41Z urn:sha1:cec10f992be8eed5ed90506375ae5794cbb7069e Thanks Simon Charette and Tim Graham for reviews, and Jason Hall for a prior iteration. 2026-03-21T14:14:48Z Tim Graham timograham@gmail.com 2026-02-10T01:57:37Z urn:sha1:f2169ef3688422d394d36007e320bac839117f0b 2026-03-19T16:24:17Z Simon Charette charette.s@gmail.com 2026-02-01T21:53:54Z urn:sha1:f05fac88c4699c6d04a8f1ac3328cf6c7bd39228 This ensures all database identifiers are quoted independently of their orign and most importantly that user provided aliases through annotate() and alias() which paves the way for dropping the allow list of characters such aliases can contain. This will require adjustments to raw SQL interfaces such as RawSQL that might make reference to ORM managed annotations as these will now be quoted. The `SQLCompiler.quote_name_unless_alias` method is kept for now as an alias for the newly introduced `.quote_name` method but will be duly deprecated in a follow up commit. 2026-03-11T17:05:44Z Keryn Knight keryn@kerynknight.com 2021-07-20T12:04:51Z urn:sha1:8d8a8713432a88737c4400610eef11c5c8457b86 Multiple calls are idempotent assuming they're balanced. Also, multiple calls to disable cloning followed by a single call to re-enable cloning will subsequently cause clones to occur - it is not a stack, just a toggle. @contextlib.contextmanager is intentionally not used for performance reasons: - decorator takes 1.1µs to execute, or 2µs if used correctly in a `with ...:` statement - custom class takes 300ns to execute, or 900ns if used correctly in a `with ...:` statement Based on work originally done by Anssi Kääriäinen and Tim Graham. 2026-02-03T12:55:04Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:e891a84c7ef9962bfcc3b4685690219542f86a22 Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. 2025-11-05T12:20:57Z Jacob Walls jacobtylerwalls@gmail.com 2025-09-24T19:56:03Z urn:sha1:3c3f46357718166069948625354b8315a8505262 2025-10-01T12:11:45Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:41b43c74bda19753c757036673ea9db74acf494a Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. 2025-07-23T23:17:55Z django-bot ops@djangoproject.com 2025-07-23T03:41:41Z urn:sha1:69a93a88edb56ba47f624dac7a21aacc47ea474f Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. 2025-04-11T07:04:49Z Simon Charette charette.s@gmail.com 2025-04-02T22:53:36Z urn:sha1:21f8be76d43aa1ee5ae41c1e0a428cfea1f231c1 Now that selected aliases are stored in sql.Query.selected: dict[str, Any] the values_list() method must ensures that duplicate field name references are assigned unique aliases. Refs #28900. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Thanks Claude for the report.