summaryrefslogtreecommitdiff
path: root/tests/expressions/test_queryset_values.py
AgeCommit message (Collapse)Author
2026-02-03Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵Jake Howard
control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews.
2025-10-01Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), ↵Mariusz Felisiak
and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
2025-08-29Refs #36152 -- Suppressed duplicate warning when using "%" in alias via ↵Jacob Walls
values().
2024-08-06Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks ↵Simon Charette
against JSON fields. Thanks Eyal (eyalgabay) for the report.
2022-04-14Relaxed some query ordering assertions in various tests.Mariusz Felisiak
It accounts for differences seen on MySQL with MyISAM storage engine.
2022-04-11Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and ↵Mariusz Felisiak
extra() against SQL injection in column aliases. Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report.
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2020-02-04Simplified imports from django.db and django.contrib.gis.db.Nick Pope
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-08-18Fixed #25871 -- Added expressions support to QuerySet.values().Ian Foote