| Age | Commit message (Collapse) | Author |
|
against SQL injection on PostgreSQL.
Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main.
|
|
and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
|
|
Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5
by marking the raw SQL column reference feature for deprecation in
Django 4.0 while lifting the column format validation.
In retrospective the validation should have been kept around and the
user should have been pointed at using RawSQL expressions during the
deprecation period.
The main branch is not affected because the raw SQL column reference
support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff
per the 4.0 deprecation life cycle.
Thanks Joel Saunders for the report.
|
|
deconstruction.
Subquery deconstruction support required implementing complex and
expensive equality rules for sql.Query objects for little benefit as
the latter cannot themselves be made deconstructible to their reference
to model classes.
Making Expression @deconstructible and not BaseExpression allows
interested parties to conform to the "expression" API even if they are
not deconstructible as it's only a requirement for expressions allowed
in Model fields and meta options (e.g. constraints, indexes).
Thanks Phillip Cutter for the report.
This also fixes a performance regression in bbf141bcdc31f1324048af9233583a523ac54c94.
Backport of c8b659430556dca0b2fe27cf2ea0f8290dbafecd from main
|
|
self-referential subqueries on MySQL.
Backport of 4074f38e1dcc93b859bbbfd6abd8441c3bca36b3 from main
|
|
combination.
This issue started manifesting itself when nesting a combined subquery
relying on exclude() since 8593e162c9cb63a6c0b06daf045bc1c21eb4d7c1 but
sql.Query.combine never properly handled subqueries outer refs in the
first place, see QuerySetBitwiseOperationTests.test_subquery_aliases()
(refs #27149).
Thanks Raffaele Salmaso for the report.
Backport of 6d0cbe42c3d382e5393d4af48185c546bb0ada1f from main
|
|
combined querysets ordered by unannotated columns.
Backport of 9760e262f85ae57df39abe2799eff48a82b14474 from main
|
|
GROUP BY on aggregations.
Regression in fb3f034f1c63160c0ff13c609acd01c18be12f80.
Refs #31094, #31150.
Thanks Igor Pejic for the report.
Backport of 277eea8fcced7f04f3800617f189beb349a3212e from master
|
|
|
|
expressions.
Thanks Mariusz Felisiak and Simon Charette for reviews.
|
|
|
|
querysets ordered by annotations.
|
|
Regression was introduced by fff5186 but was due a long standing issue.
AggregateQuery was abusing Query.subquery: bool by stashing its
compiled inner query's SQL for later use in its compiler which made
select_format checks for Query.subquery wrongly assume the provide
query was a subquery.
This patch prevents that from happening by using a dedicated
inner_query attribute which is compiled at a later time by
SQLAggregateCompiler.
Moving the inner query's compilation to SQLAggregateCompiler.compile
had the side effect of addressing a long standing issue with
aggregation subquery pushdown which prevented converters from being
run. This is now fixed as the aggregation_regress adjustments
demonstrate.
Refs #25367.
Thanks Eran Keydar for the report.
|
|
Regression in 42c08ee46539ef44f8658ebb1cbefb408e0d03fe.
Thanks Simon Charette for the review.
|
|
As mentioned in the pre-existing split_exclude() docstring EXISTS is
easier to optimize for query planers and circumvents the IN (NULL)
handling issue.
|
|
By making Query subclass BaseExpression in
35431298226165986ad07e91f9d3aca721ff38ec the former defined it's
identity based off _construct_args which is not appropriate.
|
|
Regression in 8be79984dce7d819879a6e594ca69c5f95a08378.
Thanks Gordon Wrigley for the report.
|
|
|
|
combined querysets.
|
|
Thanks Gordon Wrigley for the report.
Regression in 8a6df55f2dd5131282084a4edfd48f63fbf8c69a.
|
|
The optimization introduced in 7acef095d73 did not properly handle
deletion involving filters against aggregate annotations.
It initially was surfaced by a MariaDB test failure but misattributed
to an undocumented change in behavior that resulted in the systemic
generation of poorly performing database queries in 5b83bae031.
Thanks Anton Plotkin for the report.
Refs #23576.
|
|
The latter is already optimized to limit the number of results, avoid
selecting unnecessary fields, and drop ordering if possible without
altering the semantic of the query.
|
|
|
|
QuerySet.alias() allows creating reusable aliases for expressions that
don't need to be selected but are used for filtering, ordering, or as
a part of complex expressions.
Thanks Simon Charette for reviews.
|
|
|
|
|
|
|
|
|
|
as rhs in queryset filters.
Regression in 4edad1ddf6203326e0be4bdb105beecb0fe454c4.
|
|
queryset.
|
|
Thanks Adam Johnson for the report.
Regression in 7acef095d73322f45dcceb99afa1a4e50b520479.
|
|
QuerySet.select_for_update() on PostgreSQL.
|
|
Exists() annotation and aggregation on Oracle.
Oracle requires the EXISTS expression to be wrapped in a CASE WHEN in
the GROUP BY clause.
Regression in efa1908f662c19038a944129c81462485c4a9fe8.
|
|
691def10a0197d83d2d108bd9043b0916d0f09b4 made all Subquery() instances
equal to each other which broke aggregation subquery pushdown which
relied on object equality to determine which alias it should select.
Subquery.__eq__() will be fixed in an another commit but
Query.rewrite_cols() should haved used object identity from the start.
Refs #30727, #30188.
Thanks Makina Corpus for the report.
|
|
after annotate() with aggregations and subqueries.
Subquery annotation references must be resolved if they are excluded
from the GROUP BY clause by a following .values() call.
Regression in fb3f034f1c63160c0ff13c609acd01c18be12f80.
Thanks Makina Corpus for the report.
|
|
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
|
|
|
|
Resolve the field reference instead of using fragile regex based string
reference validation.
|
|
Now that order_by() has expression support passing RawSQL() can achieve
the same result.
This was also already supported through QuerySet.extra(order_by) for
years but this API is more or less deprecated at this point.
|
|
SimpleLazyObject.
Thanks Simon Charette for the solution and analysis.
|
|
iterable of rows.
List of tuples.
|
|
QuerySet.values()/values_list() when they collide with field names.
Regression in fb3f034f1c63160c0ff13c609acd01c18be12f80.
Thanks Holovashchenko Vadym for the report.
|
|
|
|
for related fields and parent link fields with multi-table inheritance.
Partly regression in 0107e3d1058f653f66032f7fd3a0bd61e96bf782.
|
|
|
|
|
|
annotations with aggregations used in order_by().
Regression in 59b4e99dd00b9c36d56055b889f96885995e4240.
Thanks Jon Dufresne for the report and Simon Charette for the review.
|
|
annotation.
Regression in 0f843fdd5b9b2f2307148465cd60f4e1b2befbb4.
|
|
Regression in fb3f034f1c63160c0ff13c609acd01c18be12f80.
Thanks Sigurd Ljødal for the report.
|
|
Clearing the SELECT clause in Query.has_results was orphaning GROUP BY
references to it.
Thanks Thierry Bastian for the report and Baptiste Mispelon for the
bisect.
Regression in fb3f034f1c63160c0ff13c609acd01c18be12f80.
|