| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-02-03 | Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵ | Jake Howard | |
| control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. | |||
| 2025-10-01 | Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), ↵ | Mariusz Felisiak | |
| and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. | |||
| 2025-08-29 | Refs #36152 -- Suppressed duplicate warning when using "%" in alias via ↵ | Jacob Walls | |
| values(). | |||
| 2024-08-06 | Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks ↵ | Simon Charette | |
| against JSON fields. Thanks Eyal (eyalgabay) for the report. | |||
| 2022-04-14 | Relaxed some query ordering assertions in various tests. | Mariusz Felisiak | |
| It accounts for differences seen on MySQL with MyISAM storage engine. | |||
| 2022-04-11 | Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and ↵ | Mariusz Felisiak | |
| extra() against SQL injection in column aliases. Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report. | |||
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2020-02-04 | Simplified imports from django.db and django.contrib.gis.db. | Nick Pope | |
| 2017-01-18 | Refs #23919 -- Removed encoding preambles and future imports | Claude Paroz | |
| 2016-08-18 | Fixed #25871 -- Added expressions support to QuerySet.values(). | Ian Foote | |
