summaryrefslogtreecommitdiff
path: root/django/db/models/sql
AgeCommit message (Collapse)Author
2026-02-03[4.2.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation ↵Jacob Walls
aliases contain periods. This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.
2026-02-03[4.2.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via ↵Jacob Walls
aliases with periods. Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews. Backport of 69065ca869b0970dff8fdd8fafb390bf8b3bf222 from main.
2026-02-03[4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column ↵Jake Howard
aliases via control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
2025-10-01[4.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), ↵Mariusz Felisiak
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-09-03[4.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL ↵Jake Howard
injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
2024-07-31[4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵Simon Charette
attacks against JSON fields. Thanks Eyal (eyalgabay) for the report.
2023-11-18[4.2.x] Fixed #34975 -- Fixed crash of conditional aggregate() over ↵Simon Charette
aggregations. Adjustments made to solve_lookup_type to defer the resolving of references for summarized aggregates failed to account for similar requirements for lookup values which can also reference annotations through Aggregate.filter. Regression in b181cae2e3697b2e53b5b67ac67e59f3b05a6f0d. Refs #25307. Thanks Sergey Nesterenko for the report. Backport of 7530cf3900ab98104edcde69e8a2a415e82b345a from main
2023-10-16[4.2.x] Fixed #34798 -- Fixed QuerySet.aggregate() crash when referencing ↵Simon Charette
expressions containing subqueries. Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7, complements e5c844d6f2a4ac6ae674d741b5f1fa2a688cedf4. Refs #28477, #34551. Thanks Haldun Komsuoglu for the report. Backport of 3b4a571275d967512866012955eb0b3ae486d63c from main
2023-08-01[4.2.x] Fixed #34750 -- Fixed QuerySet.count() when grouping by unused ↵Mariusz Felisiak
multi-valued annotations. Thanks Toan Vuong for the report. Thanks Simon Charette for the review. Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Backport of c9b9a52edc66be117c6e5b5214fa788a4d5db7a8 from main
2023-07-19[4.2.x] Fixed #34717 -- Fixed QuerySet.aggregate() crash when referencing ↵Simon Charette
window functions. Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Refs #28477. Thanks younes-chaoui for the report. Backport of 68912e4f6f84f21322f92a2c7b6c77f68f91b9c9 from main
2023-06-01[4.2.x] Fixed #34612 -- Fixed QuerySet.only() crash on reverse relationships.Simon Charette
Regression in b3db6c8dcb5145f7d45eff517bcd96460475c879. Thanks Ian Cubitt for the report. This also corrected test_inheritance_deferred2() test which was previously properly defined and marked as an expected failure but was then wrongly adjusted to mask the lack of support for per-alias deferral that was fixed by #21204. Backport of 2cf76f2d5d1aa16acfadaf53db3d30128a34b088 from main
2023-05-23[4.2.x] Fixed #34551 -- Fixed QuerySet.aggregate() crash when referencing ↵Simon Charette
subqueries. Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Refs #28477. Thanks Denis Roldán and Mariusz for the test. Backport of e5c844d6f2a4ac6ae674d741b5f1fa2a688cedf4 from main
2023-05-23[4.2.x] Refs #34551 -- Fixed QuerySet.aggregate() crash on precending ↵Simon Charette
aggregation reference. Regression in 1297c0d0d76a708017fe196b61a0ab324df76954. Refs #31679. Backport of 2ee01747c32a7275a7a1a5f7862acba7db764921 from main
2023-05-22[4.2.x] Fixed #34580 -- Avoided unnecessary computation of selected ↵Simon Charette
expressions in SQLCompiler. Performance regression in 278881e37619278789942513916acafaa88d26f3. Co-authored-by: David Smith <smithdc@gmail.com> Backport of 98f6ada0e2058d67d91fb6c16482411ec2ca0967 from main
2023-05-17[4.2.x] Fixed #34570 -- Silenced noop deferral of many-to-many and GFK.Simon Charette
While deferring many-to-many and GFK has no effect, the previous implementation of QuerySet.defer() ignore them instead of crashing. Regression in b3db6c8dcb5145f7d45eff517bcd96460475c879. Thanks Paco Martínez for the report. Backport of 99e5dff737cd20b12d060e4794e097063b61ec40 from main
2023-04-07[4.2.x] Fixed #34464 -- Fixed queryset aggregation over group by reference.Simon Charette
Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Refs #28477. Thanks Ian Cubitt for the report. Backport of 9daf8b4109c3e133eb57349bb44d73cc60c5773c from main
2023-04-05[4.2.x] Fixed #34458 -- Fixed QuerySet.defer() crash on attribute names.Simon Charette
Thanks Andrew Cordery for the report. Regression in b3db6c8dcb5145f7d45eff517bcd96460475c879. Backport of 87c63bd8df0eb0109df333df1264c6a96707d6a4 from main
2023-03-28[4.2.x] Refs #29799 -- Added field instance lookups to suggestions in ↵Mariusz Felisiak
FieldErrors. Bug in cd1afd553f9c175ebccfc0f50e72b43b9604bd97. Backport of 3afdc9e9b47d5bdd1bd653633b4cb2357478ade5 from main
2023-02-27[4.2.x] Fixed #34368 -- Made subquery raise NotSupportedError when ↵Simon Charette
referencing outer window expression. Regression in f387d024fc75569d2a4a338bfda76cc2f328f627. Co-authored-by: Jannis Vajen <jvajen@gmail.com> Backport of c67ea79aa981ae82595d89f8018a41fcd842e7c9 from main
2023-02-27[4.2.x] Fixed #34372 -- Fixed queryset crash on order by aggregation using ↵Simon Charette
OrderBy. Regression in 278881e37619278789942513916acafaa88d26f3 caused by a lack of expression copying when an OrderBy expression is explicitly provided. Thanks Jannis Vajen for the report and regression test. Backport of b15f162f252610e3b510ade465549769ab4356cf from main
2023-02-20[4.2.x] Fixed #34346 -- Ordered selected expressions by position.Simon Charette
Used the same approach as for #34176 by using selected expressions position to prevent ambiguous aliases in collisions. Thanks henribru for the report. Regression in 04518e310d4552ff7595a34f5a7f93487d78a406. Backport of 278881e37619278789942513916acafaa88d26f3 from main
2023-01-24[4.2.x] Fixed #34227 -- Fixed QuerySet.select_related() with multi-level ↵朱穆穆
FilteredRelation. Backport of d3c93cdc597e0efc2815111c04dd5a427432ed37 from main
2023-01-20[4.2.x] Fixed #34267 -- Fixed sliced QuerySet.union() crash.Francesco Panico
Regression in 3d734c09ff0138441dfe0a59010435871d17950f. Thanks Raphaël Stefanini for the report. Backport of cc8aa6bf9c127a493e6dd005012b9e6397b3f319 from main
2023-01-09Fixed #34176 -- Fixed grouping by ambiguous aliases.Simon Charette
Regression in b7b28c7c189615543218e81319473888bc46d831. Refs #31377. Thanks Shai Berger for the report and reviews. test_aggregation_subquery_annotation_values_collision() has been updated as queries that are explicitly grouped by a subquery should always be grouped by it and not its outer columns even if its alias collides with referenced table columns. This was not possible to accomplish at the time 10866a10 landed because we didn't have compiler level handling of colliding aliases.
2023-01-04Simplified SQLCompiler.get_group_by() a bit.Simon Charette
2022-12-27Fixed #34226 -- Fixed QuerySet.select_related() with multiple ↵朱穆穆
FilteredRelations to the OneToOneField.
2022-12-24Refs #34226 -- Renamed local field variables in ↵Mariusz Felisiak
SQLCompiler.get_related_selections() to avoid redefinition.
2022-12-01Refs #33308 -- Deprecated support for passing encoded JSON string literals ↵Simon Charette
to JSONField & co. JSON should be provided as literal Python objects an not in their encoded string literal forms.
2022-11-23Fixed #31679 -- Delayed annotating aggregations.Simon Charette
By avoiding to annotate aggregations meant to be possibly pushed to an outer query until their references are resolved it is possible to aggregate over a query with the same alias. Even if #34176 is a convoluted case to support, this refactor seems worth it given the reduction in complexity it brings with regards to annotation removal when performing a subquery pushdown.
2022-11-22Fixed #34171 -- Fixed QuerySet.bulk_create() on fields with db_column in ↵DevilsAutumn
unique_fields/update_fields. Bug in 0f6946495a8ec955b471ca1baaf408ceb53d4796. Thanks Joshua Brooks for the report.
2022-11-15Fixed #34123 -- Fixed combinator order by alias when using select_related().Simon Charette
Regression in c58a8acd413ccc992dd30afd98ed900897e1f719. Thanks to Shai Berger for the report and tests. Co-Authored-By: David Sanders <shang.xiao.sanders@gmail.com>
2022-11-15Avoided unnecessary usage of RawSQL.Simon Charette
This ensures proper alias quoting.
2022-11-14Refs #25307 -- Replaced SQLQuery.rewrite_cols() by replace_expressions().Simon Charette
The latter offers a more generic interface that doesn't require specialized expression types handling.
2022-11-14Reduced nesting inside Query.get_aggregation().Simon Charette
2022-11-14Refs #28477 -- Fixed handling aliased annotations on aggregation.Simon Charette
Just like when using .annotate(), the .alias() method will generate the necessary JOINs to resolve the alias even if not selected. Since these JOINs could be multi-valued non-selected aggregates must be considered to require subquery wrapping as a GROUP BY is required to combine duplicated tuples from the base table. Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7.
2022-11-11Refs #28477 -- Reduced complexity of aggregation over qualify queries.Simon Charette
2022-11-09Fixed #28477 -- Stripped unused annotations on aggregation.Simon Charette
Also avoid an unnecessary pushdown when aggregating over a query that doesn't have aggregate annotations.
2022-11-07Refs #33374 -- Adjusted full match condition handling.Simon Charette
Adjusting WhereNode.as_sql() to raise an exception when encoutering a full match just like with empty matches ensures that all case are explicitly handled.
2022-11-07Refs #17144 -- Removed support for grouping by primary key.Simon Charette
No core backend require the feature anymore as it was only added to support a MySQL'ism that has been deprecated since then.
2022-11-07Fixed #31331 -- Switched MySQL to group by selected primary keys.Simon Charette
MySQL 5.7.15 supports group by functional dependences so there is no need to special case group by main table primary key anymore and special case the ONLY_FULL_GROUP_BY sql mode.
2022-10-31Used more augmented assignment statements.Nick Pope
Identified using the following command: $ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
2022-10-29Fixed #34125 -- Fixed sliced QuerySet.union() crash on a single non-empty ↵Simon Charette
queryset. The bug existed since sliced query union was added but was elevated to query union slices by moving the .exists() optimization to the compiler in 3d734c09ff0138441dfe0a59010435871d17950f. Thanks Stefan Hammer for the report.
2022-10-28Used Query.is_sliced in SQLCompiler.as_sql().Simon Charette
2022-10-18Fixed #34105 -- Fixed crash of ordering by nested selected expression.Simon Charette
This stops ordering by nested selected references. It's not supported on PostgreSQL and not required to support psycopg3. Regression in 04518e310d4552ff7595a34f5a7f93487d78a406. Thanks Matt Westcott for the report.
2022-10-06Refs #30158 -- Removed alias argument for Expression.get_group_by_cols().Simon Charette
Recent refactors allowed GROUP BY aliasing allowed for aliasing to be entirely handled by the sql.Query.set_group_by and compiler layers.
2022-10-06Refs #31150 -- Enabled implicit GROUP BY aliases.Simon Charette
This ensures implicit grouping from aggregate function annotations groups by uncollapsed selected aliases if supported. The feature is disabled on Oracle because it doesn't support it.
2022-10-06Refs #33992 -- Refactored subquery grouping logic.Simon Charette
This required moving the combined queries slicing logic to the compiler in order to allow Query.exists() to be called at expression resolving time. It allowed for Query.exists() to be called at Exists() initialization time and thus ensured that get_group_by_cols() was operating on the terminal representation of the query that only has a single column selected.
2022-10-06Refs #33308 -- Enabled explicit GROUP BY and ORDER BY aliases.Simon Charette
This ensures explicit grouping from using values() before annotating an aggregate function groups by selected aliases if supported. The GROUP BY feature is disabled on Oracle because it doesn't support it.
2022-10-05Fixed #33768 -- Fixed ordering compound queries by nulls_first/nulls_last on ↵Simon Charette
MySQL. Columns of the left outer most select statement in a combined query can be referenced by alias just like by index. This removes combined query ordering by column index and avoids an unnecessary usage of RawSQL which causes issues for backends that specialize the treatment of null ordering.
2022-10-04Avoided unnecessary call to .get_source_expressions().Simon Charette
The SQLCompiler._order_by_pairs() generator method yields instances of OrderBy and not Expression.