summaryrefslogtreecommitdiff
path: root/django/db/models/sql
AgeCommit message (Collapse)Author
2025-10-01[5.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), ↵Mariusz Felisiak
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-09-03[5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL ↵Jake Howard
injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
2025-08-29[5.2.x] Fixed #36431 -- Returned tuples for multi-column ForeignObject in ↵SaJH
values()/values_list(). Thanks Jacob Walls and Simon Charette for tests. Signed-off-by: SaJH <wogur981208@gmail.com> Backport of bb7a7701b1a0e8fffe14dcebf5d5bac7f176c02a from main
2025-05-16[5.2.x] Fixed #36392 -- Raised ValueError when subquery referencing ↵Jacob Walls
composite pk selects too many columns. Backport of 994dc6d8a1bae717baa236b65e11cf91ce181c53 from main.
2025-04-07[5.2.x] Fixed #36301 -- Fixed select_for_update(of) crash when using ↵Simon Charette
values()/values_list(). Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which allowed for annotations to be SELECT'ed before model field references through values()/values_list() and broke assumptions the select_for_update(of) table infererence logic had about model fields always being first. Refs #28900. Thanks OutOfFocus4 for the report and Sarah for the test. Backport of 71a19a0e475165dbc14c1fe02f552013ee670e4c from main
2025-04-05[5.2.x] Fixed #36299 -- Prevented field selection on QuerySet.alias() after ↵Simon Charette
values(). Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Jeff Iadarola for the report and tests. Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com> Backport of 12b771a1ec4bbfe82405176f5601e6441855a303 from main
2025-04-03[5.2.x] Fixed #36292 -- Fixed crash when aggregating over a group mixing ↵Simon Charette
transforms and references. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900 Thanks Patrick Altman for the report. Backport of 543e17c4405dfdac4f18759fc78b190406d14239 from main
2025-02-15[5.2.x] Refs #36181 -- Removed the obsolete SubqueryConstraint machinery.Mariusz Felisiak
Adding proper support for subquery right-hand-sides to TupleIn made it obsolete. Backport of d386405e04dac50656af50d100a14efdf8c58e8f from main Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-02-11[5.2.x] Fixed #36149 -- Allowed subquery values against tuple exact and in ↵Simon Charette
lookups. Non-tuple exact and in lookups have specialized logic for subqueries that can be adapted to properly assign select mask if unspecified and ensure the number of involved members are matching on both side of the operator. Backport of 41239fe34d64e801212dccaa4585e4802d0fac68 from main.
2025-02-06[5.2.x] Fixed #35677 -- Avoided non-sticky filtering of prefetched many-to-many.Simon Charette
The original queryset._next_is_sticky() call never had the intended effect as no further filtering was applied internally after the pk__in lookup making it a noop. In order to be coherent with how related filters are applied when retrieving objects from a related manager the effects of what calling _next_is_sticky() prior to applying annotations and filters to the queryset provided for prefetching are emulated by allowing the reuse of all pre-existing JOINs. Thanks David Glenck and Thiago Bellini Ribeiro for the detailed reports and tests. Backport of 2598b371a93e21d84b7a2a99b2329535c8c0c138 from main.
2025-01-28[5.2.x] Fixed #36122 -- Raised FieldError when updating with composite ↵Simon Charette
reference value. Thanks Jacob Walls for the report and test. Backport of efec74b90868c2e611f863bf4301d92ce08067e8 from main.
2025-01-28[5.2.x] Fixed #36120 -- Raised FieldError when targeting a composite primary ↵Jacob Walls
key field with QuerySet.update(). Backport of 72ff18d41cfb004ae180bdf87fd8bad93041c691 from main.
2025-01-27[5.2.x] Fixed #36109 -- Fixed RecursionError when stacking FilteredRelation ↵Peter DeVita
joins. Backport of 8eca4077f60fa0705ecfd9437c9ceaeef7a3808b from main.
2025-01-13Fixed #36086 -- Fixed crash when using GeneratedField with non-AutoField pk.Simon Charette
The previous logic was systematically attempting to retrieve last_insert_id even for models without an AutoField primary key when they had a GeneratedField on backends that can't return columns from INSERT. The issue affected MySQL, SQLite < 3.35, and Oracle when the use_returning_into option was disabled and could result in either crashes when the non-auto primary key wasn't an IntegerField subclass or silent misassignment of bogus insert ids (0 or the previous auto primary key insert value) to the first defined generated field value.
2025-01-13Refs #373 -- Removed unused composite pk code in SQLInsertCompiler.Simon Charette
This logic could only be exercised if the composite primary key included an AutoField but it's not allowed yet (refs #35957). It was also slightly broken as it expected the AutoField to always be the first member of returning_fields.
2025-01-08Fixed #36065 -- Fixed ordering by expression referencing composite primary key.Simon Charette
Thanks Jacob Walls for the report and test and Csirmaz Bendegúz for the review.
2025-01-03Fixed #35918 -- Added support for execute_sql to directly return row counts.Raphael Gaschignard
2025-01-03Fixed #36029 -- Handled implicit exact lookups in condition depth checks for ↵Jacob Walls
FilteredRelation.
2024-12-11Refs #35936 -- Avoided field placeholder lookup for each value inserted.Simon Charette
By building the list of placeholders for each inserted fields once it doesn't have to be looked up for each inserted rows twice. The query_values_10000.benchmark.QueryValues10000.time_query_values_10000 ASV benchmark showed a 5% speed up for 10k items on SQLite for a single field insertion. Larger performance gains are expected when more fields are involved.
2024-11-29Fixed #373 -- Added CompositePrimaryKey.Bendeguz Csirmaz
Thanks Lily Foote and Simon Charette for reviews and mentoring this Google Summer of Code 2024 project. Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Lily Foote <code@lilyf.org>
2024-10-14Fixed #35744 -- Relabelled external aliases of combined queries.Simon Charette
Just like normal queries, combined queries' outer references might fully resolve before their reference is assigned its final alias. Refs #29338. Thanks Antony_K for the report and example, and thanks Mariusz Felisiak for the review.
2024-08-12Fixed #35586 -- Added support for set-returning database functions.Devin Cox
Aggregation optimization didn't account for not referenced set-returning annotations on Postgres. Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-06Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks ↵Simon Charette
against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-08-02Fixed #35643 -- Fixed a crash when ordering a QuerySet by a reference ↵Simon Charette
containing "__". Regression in b0ad41198b3e333f57351e3fce5a1fb47f23f376. Refs #34013. The initial logic did not consider that annotation aliases can include lookup or transform separators. Thanks Gert Van Gool for the report and Mariusz Felisiak for the review.
2024-08-01Refs #373 -- Added tuple lookups.Bendeguz Csirmaz
2024-07-23Fixed #35585 -- Corrected Query.exists() call in Query.has_results().Flavio Curella
2024-07-22Fixed #35614 -- Prevented SQLCompiler.as_subquery_condition() from mutating ↵Bendeguz Csirmaz
a query.
2024-07-19Fixed #35559 -- Avoided unnecessary query on sliced union of empty queries.Simon Charette
While refs #34125 focused on the SQL correctness of slicing of union of potentially empty queries it missed an optimization opportunity to avoid performing a query at all when all queries are empty. Thanks Lucidiot for the report.
2024-07-16Doc'd purpose of tuple() in SQLCompiler.get_from_clause().Tim Graham
It was added in 01d440fa1e6b5c62acfa8b3fde43dfa1505f93c6 to prevent "RuntimeError: OrderedDict mutated during iteration". That particular issue was fixed in d660cee5bc68b597503c2a16f3d9928d52f93fb4 but the issue could remain in Join.as_sql() subclasses. Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-07-15Removed leftover KeyError handling after Query.tables attribute cleanup.nessita
Follow up from f7f5edd50d03e8482f8a6da5fb5202b895d68cd6.
2024-07-09Fixed #35413 -- Made unsupported lookup error message more specific.wookkl
2024-07-03Refs #28900 -- Made Query.has_select_fields a computed property.Simon Charette
This should ensure it never drifts from Query.selected while maintaining backward compatibility.
2024-07-03Fixed #28900 -- Propagated all selected fields to combinator queries.Simon Charette
Previously, only the selected column aliases would be propagated and annotations were ignored.
2024-07-03Refs #28900 -- Made SELECT respect the order specified by values(*selected).Simon Charette
Previously the order was always extra_fields + model_fields + annotations with respective local ordering inferred from the insertion order of *selected. This commits introduces a new `Query.selected` propery that keeps tracks of the global select order as specified by on values assignment. This is crucial feature to allow the combination of queries mixing annotations and table references. It also allows the removal of the re-ordering shenanigans perform by ValuesListIterable in order to re-map the tuples returned from the database backend to the order specified by values_list() as they'll be in the right order at query compilation time. Refs #28553 as the initially reported issue that was only partially fixed for annotations by d6b6e5d0fd4e6b6d0183b4cf6e4bd4f9afc7bf67. Thanks Mariusz Felisiak and Sarah Boyce for review.
2024-06-25Used Query.add_annotation where appropriate.Simon Charette
This avoids manual .annotations and .append_annotation_mask manipulations.
2024-04-23Refs #35356 -- Clarified select related with masked field logic.Simon Charette
By always including related objects in the select mask via adjusting the defer logic (_get_defer_select_mask()), it becomes possible for select_related_descend() to treat forward and reverse relationships indistinctively. This work also simplifies and adds comments to select_related_descend() to make it easier to understand.
2024-04-23Fixed #35356 -- Deferred self-referential foreign key fields adequately.Simon Charette
While refs #34612 surfaced issues with reverse one-to-one fields deferrals, it missed that switching to storing remote fields would break self-referential relationships. This change switches to storing related objects in the select mask instead of remote fields to prevent collisions when dealing with self-referential relationships that might have a different directional mask. Despite fixing #21204 introduced a crash under some self-referential deferral conditions, it was simply not working even before that as it aggregated the sets of deferred fields by model. Thanks Joshua van Besouw for the report and Mariusz Felisiak for the review.
2024-03-15Fixed #35294 -- Fixed TEXT format of QuerySet.explain() for long plans.Adam Johnson
co-authored-by: Gordon <gordon.wrigley@gmail.com> co-authored-by: Simon Charette <charette.s@gmail.com>
2024-02-26Fixed #35241 -- Cached model's full parent list.Adam Johnson
co-authored-by: Keryn Knight <keryn@kerynknight.com> co-authored-by: Natalia <124304+nessita@users.noreply.github.com> co-authored-by: David Smith <smithdc@gmail.com> co-authored-by: Paolo Melchiorre <paolo@melchiorre.org>
2024-02-07Fixed #35099 -- Prevented mutating queryset when combining with & and | ↵Hisham Mahmood
operators. Thanks Alan for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-01-29Fixed #35135 -- Made FilteredRelation raise ValueError on querysets as rhs.Nicolas Delaby
Regression in 59f475470494ce5b8cbff816b1e5dafcbd10a3a3.
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2024-01-15Refs #35102 -- Optimized replace_expressions()/relabelling aliases by adding ↵Mariusz Felisiak
early return. This avoids costly hashing. Thanks Anthony Shaw for the report. Co-Authored-By: Simon Charette <charette.s@gmail.com>
2023-12-23Fixed #35050 -- Fixed prefixing field names in FilteredRelation().David Wobrock
Thanks Mark Zorn for the report. Regression in 59f475470494ce5b8cbff816b1e5dafcbd10a3a3.
2023-12-16Fixed #35042 -- Fixed a count() crash on combined queries.Simon Charette
Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7. Thanks Marcin for the report.
2023-12-12Fixed #34013 -- Added QuerySet.order_by() support for annotation transforms.Simon Charette
Thanks Eugene Morozov and Ben Nace for the reports.
2023-12-07Fixed #35024 -- Fixed model instance creation crash on ↵Mariusz Felisiak
GeneratedField.output_field with backend converters. Regression in d9de74141e8a920940f1b91ed0a3ccb835b55729. This is a long standing issue, however it caused a crash of GeneratedFields for all output fields that have backend-specific converters when the RETURNING clause is not supported (MySQL and SQLite < 3.35). That's why severity was exacerbated.
2023-11-18Refs #34717 -- Avoided computing aggregate refs twice.Simon Charette
2023-11-18Refs #34975 -- Complemented rhs filtering aggregations for __in lookup.Simon Charette
While this isn't a regression it's clear that similar logic should be applied when dealing with lists of expressions passed as a lookup value.
2023-11-18Fixed #34975 -- Fixed crash of conditional aggregate() over aggregations.Simon Charette
Adjustments made to solve_lookup_type to defer the resolving of references for summarized aggregates failed to account for similar requirements for lookup values which can also reference annotations through Aggregate.filter. Regression in b181cae2e3697b2e53b5b67ac67e59f3b05a6f0d. Refs #25307. Thanks Sergey Nesterenko for the report.