summaryrefslogtreecommitdiff
path: root/django/db/models/sql/query.py
AgeCommit message (Collapse)Author
2026-06-10Fixed #37142 -- Moved django_file_prefixes() to django.utils.warnings.zhengkangyang
2026-05-18Refs #37097 -- Removed compilation-time order clearing on combined queries ↵Jacob Walls
on Oracle. Thanks Simon Charette, JaeHyuck Sa, and Shai Berger for reviews.
2026-05-18Fixed #37097 -- Made Query.clear_ordering() clear ordering on combined ↵Jacob Walls
queries also. Thanks Shai Berger for the report. Regression in 087bb9e8f3478d53f12b1737af865992af17c5f2. (That commit drove more traffic into an error that would have been reachable only with an explicit order_by() after each union().) Co-authored-by: Simon Charette <charettes@gmail.com> Co-authored-by: siddus <dcsid10@gmail.com>
2026-04-19Fixed #37047 -- Fixed crash in Query.orderby_issubset_groupby for descending ↵Anže Pečar
and random order_by strings. Run this example: ```python User.objects.values("is_staff").annotate(latest=Max("date_joined")).order_by("-latest").count() ``` You should see the following exception: ``` django.core.exceptions.FieldError: Cannot resolve keyword '-latest' into field. ``` Regression in 2ce5cb0f7a4618dfdc5f5c10e53e2e9b9543d298.
2026-04-02Fixed #20024 -- Fixed handling of __in lookups with None in exclude().Eddy Adegnandjou
Thanks Simon Charette and Tim Graham for reviews, and Jason Hall for a prior iteration.
2026-02-03Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases ↵Jacob Walls
contain periods. This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795.
2026-02-03Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵Jake Howard
control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews.
2026-01-16Fixed #36352 -- Improved error message for fields excluded by prior ↵JaeHyuck Sa
values()/values_list() calls. Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
2026-01-14Fixed #36821 -- Treated empty strings as NULL for iexact lookups on Oracle.JaeHyuck Sa
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
2025-12-15Fixed #26434 -- Removed faulty clearing of ordering field when missing from ↵Michal Mládek
explicit grouping. Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-10-28Reverted "Fixed #26434 -- Removed faulty clearing of ordering field when ↵Jacob Walls
missing from explicit grouping." This reverts commit ea3a71c2d09f8281d8a50ed20e40e1fb13db5cd9. The implementation was flawed, as self.group_by contains Cols, not aliases.
2025-10-27Fixed #26434 -- Removed faulty clearing of ordering field when missing from ↵Michal Mládek
explicit grouping. Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-10-01Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), ↵Mariusz Felisiak
and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
2025-09-22Fixed #36480 -- Made values() resolving error mention unselected aliases.Shubham Singh
Follow-up to cb13792938f2c887134eb6b5164d89f8d8f9f1bd. Refs #34437.
2025-09-19Refs #36152, #35667 -- Used skip_file_prefixes in alias deprecation warning.Jacob Walls
Follow-up to 8ede411a81b40ca53362e6788601193c7e56a0cf.
2025-09-19Fixed #36584, Refs #36149 -- Allowed subquery values against tuple in lookup ↵사재혁
via ForeignObject.
2025-09-03Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in ↵Jake Howard
column aliases. Thanks Eyal Gabay (EyalSec) for the report.
2025-08-29Fixed #36431 -- Returned tuples for multi-column ForeignObject in ↵SaJH
values()/values_list(). Thanks Jacob Walls and Simon Charette for tests. Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-29Refs #36152 -- Suppressed duplicate warning when using "%" in alias via ↵Jacob Walls
values().
2025-08-07Fixed #36210, Refs #36181 -- Allowed Subquery usage in further lookups ↵Jacob Walls
against composite pks. Follow-up to 8561100425876bde3be4b2a22324655f74ff9609. Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-07-23Refs #36500 -- Corrected rewrapped long lines fixed via a script.Mike Edmunds
Manually reformatted some comments and docstrings where autofix_w505.py changed the meaning of the formatting.
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-06-20Fixed #36152 -- Deprecated use of "%" in column aliases.Jacob Walls
Unintentional support existed only on SQLite and Oracle.
2025-06-12Fixed #36442 -- Cloned FilteredRelation before rename_prefix_from_q.viliam mihalik
2025-05-16Fixed #36392 -- Raised ValueError when subquery referencing composite pk ↵Jacob Walls
selects too many columns.
2025-04-05Fixed #36299 -- Prevented field selection on QuerySet.alias() after values().Simon Charette
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Jeff Iadarola for the report and tests. Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com>
2025-04-03Fixed #36292 -- Fixed crash when aggregating over a group mixing transforms ↵Simon Charette
and references. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900 Thanks Patrick Altman for the report.
2025-02-11Fixed #36149 -- Allowed subquery values against tuple exact and in lookups.Simon Charette
Non-tuple exact and in lookups have specialized logic for subqueries that can be adapted to properly assign select mask if unspecified and ensure the number of involved members are matching on both side of the operator.
2025-02-06Fixed #35677 -- Avoided non-sticky filtering of prefetched many-to-many.Simon Charette
The original queryset._next_is_sticky() call never had the intended effect as no further filtering was applied internally after the pk__in lookup making it a noop. In order to be coherent with how related filters are applied when retrieving objects from a related manager the effects of what calling _next_is_sticky() prior to applying annotations and filters to the queryset provided for prefetching are emulated by allowing the reuse of all pre-existing JOINs. Thanks David Glenck and Thiago Bellini Ribeiro for the detailed reports and tests.
2025-01-27Fixed #36109 -- Fixed RecursionError when stacking FilteredRelation joins.Peter DeVita
2025-01-03Fixed #36029 -- Handled implicit exact lookups in condition depth checks for ↵Jacob Walls
FilteredRelation.
2024-11-29Fixed #373 -- Added CompositePrimaryKey.Bendeguz Csirmaz
Thanks Lily Foote and Simon Charette for reviews and mentoring this Google Summer of Code 2024 project. Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Lily Foote <code@lilyf.org>
2024-10-14Fixed #35744 -- Relabelled external aliases of combined queries.Simon Charette
Just like normal queries, combined queries' outer references might fully resolve before their reference is assigned its final alias. Refs #29338. Thanks Antony_K for the report and example, and thanks Mariusz Felisiak for the review.
2024-08-12Fixed #35586 -- Added support for set-returning database functions.Devin Cox
Aggregation optimization didn't account for not referenced set-returning annotations on Postgres. Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-06Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks ↵Simon Charette
against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-08-01Refs #373 -- Added tuple lookups.Bendeguz Csirmaz
2024-07-23Fixed #35585 -- Corrected Query.exists() call in Query.has_results().Flavio Curella
2024-07-09Fixed #35413 -- Made unsupported lookup error message more specific.wookkl
2024-07-03Refs #28900 -- Made Query.has_select_fields a computed property.Simon Charette
This should ensure it never drifts from Query.selected while maintaining backward compatibility.
2024-07-03Refs #28900 -- Made SELECT respect the order specified by values(*selected).Simon Charette
Previously the order was always extra_fields + model_fields + annotations with respective local ordering inferred from the insertion order of *selected. This commits introduces a new `Query.selected` propery that keeps tracks of the global select order as specified by on values assignment. This is crucial feature to allow the combination of queries mixing annotations and table references. It also allows the removal of the re-ordering shenanigans perform by ValuesListIterable in order to re-map the tuples returned from the database backend to the order specified by values_list() as they'll be in the right order at query compilation time. Refs #28553 as the initially reported issue that was only partially fixed for annotations by d6b6e5d0fd4e6b6d0183b4cf6e4bd4f9afc7bf67. Thanks Mariusz Felisiak and Sarah Boyce for review.
2024-06-25Used Query.add_annotation where appropriate.Simon Charette
This avoids manual .annotations and .append_annotation_mask manipulations.
2024-04-23Refs #35356 -- Clarified select related with masked field logic.Simon Charette
By always including related objects in the select mask via adjusting the defer logic (_get_defer_select_mask()), it becomes possible for select_related_descend() to treat forward and reverse relationships indistinctively. This work also simplifies and adds comments to select_related_descend() to make it easier to understand.
2024-04-23Fixed #35356 -- Deferred self-referential foreign key fields adequately.Simon Charette
While refs #34612 surfaced issues with reverse one-to-one fields deferrals, it missed that switching to storing remote fields would break self-referential relationships. This change switches to storing related objects in the select mask instead of remote fields to prevent collisions when dealing with self-referential relationships that might have a different directional mask. Despite fixing #21204 introduced a crash under some self-referential deferral conditions, it was simply not working even before that as it aggregated the sets of deferred fields by model. Thanks Joshua van Besouw for the report and Mariusz Felisiak for the review.
2024-02-07Fixed #35099 -- Prevented mutating queryset when combining with & and | ↵Hisham Mahmood
operators. Thanks Alan for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-01-29Fixed #35135 -- Made FilteredRelation raise ValueError on querysets as rhs.Nicolas Delaby
Regression in 59f475470494ce5b8cbff816b1e5dafcbd10a3a3.
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2024-01-15Refs #35102 -- Optimized replace_expressions()/relabelling aliases by adding ↵Mariusz Felisiak
early return. This avoids costly hashing. Thanks Anthony Shaw for the report. Co-Authored-By: Simon Charette <charette.s@gmail.com>
2023-12-23Fixed #35050 -- Fixed prefixing field names in FilteredRelation().David Wobrock
Thanks Mark Zorn for the report. Regression in 59f475470494ce5b8cbff816b1e5dafcbd10a3a3.
2023-12-16Fixed #35042 -- Fixed a count() crash on combined queries.Simon Charette
Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Thanks Marcin for the report.
2023-11-18Refs #34717 -- Avoided computing aggregate refs twice.Simon Charette