| Age | Commit message (Collapse) | Author |
|
This allows backends that don't support extra() to skip it.
|
|
Thanks Simon Charette and Tim Graham for reviews, and Jason Hall for a
prior iteration.
|
|
|
|
This ensures all database identifiers are quoted independently of their orign
and most importantly that user provided aliases through annotate() and alias()
which paves the way for dropping the allow list of characters such aliases can
contain.
This will require adjustments to raw SQL interfaces such as RawSQL that might
make reference to ORM managed annotations as these will now be quoted.
The `SQLCompiler.quote_name_unless_alias` method is kept for now as an alias
for the newly introduced `.quote_name` method but will be duly deprecated in
a follow up commit.
|
|
Multiple calls are idempotent assuming they're balanced. Also, multiple
calls to disable cloning followed by a single call to re-enable cloning
will subsequently cause clones to occur - it is not a stack, just a
toggle.
@contextlib.contextmanager is intentionally not used for performance
reasons:
- decorator takes 1.1µs to execute, or 2µs if used correctly in a
`with ...:` statement
- custom class takes 300ns to execute, or 900ns if used correctly in a
`with ...:` statement
Based on work originally done by Anssi Kääriäinen and Tim Graham.
|
|
control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
|
|
dictionary expansion.
|
|
and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
|
|
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
|
|
Now that selected aliases are stored in sql.Query.selected: dict[str, Any]
the values_list() method must ensures that duplicate field name references are
assigned unique aliases.
Refs #28900.
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.
Thanks Claude for the report.
|
|
Non-tuple exact and in lookups have specialized logic for subqueries that can
be adapted to properly assign select mask if unspecified and ensure the number
of involved members are matching on both side of the operator.
|
|
|
|
Previously, only the selected column aliases would be propagated and
annotations were ignored.
|
|
Previously the order was always extra_fields + model_fields + annotations with
respective local ordering inferred from the insertion order of *selected.
This commits introduces a new `Query.selected` propery that keeps tracks of the
global select order as specified by on values assignment. This is crucial
feature to allow the combination of queries mixing annotations and table
references.
It also allows the removal of the re-ordering shenanigans perform by
ValuesListIterable in order to re-map the tuples returned from the database
backend to the order specified by values_list() as they'll be in the right
order at query compilation time.
Refs #28553 as the initially reported issue that was only partially fixed
for annotations by d6b6e5d0fd4e6b6d0183b4cf6e4bd4f9afc7bf67.
Thanks Mariusz Felisiak and Sarah Boyce for review.
|
|
operators.
Thanks Alan for the report.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
|
The implementation of some core types differ between CPython and PyPy
and this may affect the way that pickling works such that errors are
raised in differing locations in the interpreter or not at all.
Use our own custom non-pickleable type instead to avoid these quirks.
|
|
Slice on unordered subquery may be non-deterministic in some databases.
|
|
The outer query reference is not necessary when alias can be reused and
can even be harmful by confusing query planers.
Refs #34597.
|
|
filters.
Per deprecation timeline.
|
|
|
|
Adjusting WhereNode.as_sql() to raise an exception when encoutering a
full match just like with empty matches ensures that all case are
explicitly handled.
|
|
assertQuerySetEqual().
Co-Authored-By: Michael Howitz <mh@gocept.com>
|
|
where appropriate.
Follow up to 3f7b3275627385f8f7531fca01cdda50d4ec6b6e.
|
|
|
|
|
|
This ensures field deferral works properly when a model is involved
more than once in the same query with a distinct deferral mask.
|
|
|
|
It accounts for differences seen on MySQL with MyISAM storage engine.
|
|
distinct querysets.
|
|
|
|
extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
|
|
|
|
Co-Authored-By: Hasan Ramezani <hasan.r67@gmail.com>
|
|
Most QuerySet methods are mapped onto the Manager and, in general,
it isn't necessary to call .all() on the manager.
|
|
|
|
|
|
In these cases Black produces unexpected results, e.g.
def make_random_password(
self,
length=10,
allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789',
):
or
cursor.execute("""
SELECT ...
""",
[table name],
)
|
|
with aliases that conflict.
|
|
objects.
Fixed in 58da81a5a372a69f0bac801c412b57f3cce5f188.
|
|
create a shallow copy of children."
This reverts commit e441847ecae99dd1ccd0d9ce76dbcff51afa863c.
A shallow copy is not enough because querysets can be reused and
evaluated in nested nodes, which shouldn't mutate JOIN aliases.
Thanks Michal Čihař for the report.
|
|
django.db.models.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
|
Address a long standing bug in a Where.add optimization to discard
equal nodes that was surfaced by implementing equality for Lookup
instances in bbf141bcdc31f1324048af9233583a523ac54c94.
Thanks Shaheed Haque for the report.
|
|
|
|
|
|
This issue started manifesting itself when nesting a combined subquery
relying on exclude() since 8593e162c9cb63a6c0b06daf045bc1c21eb4d7c1 but
sql.Query.combine never properly handled subqueries outer refs in the
first place, see QuerySetBitwiseOperationTests.test_subquery_aliases()
(refs #27149).
Thanks Raffaele Salmaso for the report.
|
|
operations for sliced querysets.
|
|
Per deprecation timeline.
|
|
This also replaces assertQuerysetEqual() to
assertSequenceEqual()/assertCountEqual() where appropriate.
Co-authored-by: Peter Inglesby <peter.inglesby@gmail.com>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
|
As mentioned in the pre-existing split_exclude() docstring EXISTS is
easier to optimize for query planers and circumvents the IN (NULL)
handling issue.
|
|
The code from the original fix (922aba3def68e57c405a0e50d353a790af85b00a)
was removed in 419de7b00daabf5e9be064198d370cdbf19b5f2d.
|