| Age | Commit message (Collapse) | Author |
|
aliases via control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
|
|
dictionary expansion.
Backport of 3c3f46357718166069948625354b8315a8505262 from main.
|
|
the _connector kwarg.
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
|
|
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
|
|
Regression in 3d734c09ff0138441dfe0a59010435871d17950f.
Thanks Raphaël Stefanini for the report.
Backport of cc8aa6bf9c127a493e6dd005012b9e6397b3f319 from main
|
|
|
|
Passing None to params causes errors in determining the data type on
psycopg3.
|
|
select_related().
Thanks Simon Charette for noticing this.
Fixed in 70499b25c708557fb9ee2264686cd172f4b2354e.
|
|
Regression in c58a8acd413ccc992dd30afd98ed900897e1f719.
Thanks to Shai Berger for the report and tests.
Co-Authored-By: David Sanders <shang.xiao.sanders@gmail.com>
|
|
Adjusting WhereNode.as_sql() to raise an exception when encoutering a
full match just like with empty matches ensures that all case are
explicitly handled.
|
|
|
|
queryset.
The bug existed since sliced query union was added but was elevated to
query union slices by moving the .exists() optimization to the compiler
in 3d734c09ff0138441dfe0a59010435871d17950f.
Thanks Stefan Hammer for the report.
|
|
assertQuerySetEqual().
Co-Authored-By: Michael Howitz <mh@gocept.com>
|
|
where appropriate.
Follow up to 3f7b3275627385f8f7531fca01cdda50d4ec6b6e.
|
|
MySQL.
Columns of the left outer most select statement in a combined query
can be referenced by alias just like by index.
This removes combined query ordering by column index and avoids an
unnecessary usage of RawSQL which causes issues for backends that
specialize the treatment of null ordering.
|
|
for models with Meta.ordering.
This makes QuerySet.order_by() no longer ignore trailing transforms for
models with Meta.ordering. As a consequence, FieldError is raised in
such cases for non-existent fields.
Thanks to Klaas van Schelven for the report and Mariusz Felisiak for the
review and advice.
|
|
|
|
|
|
This ensures field deferral works properly when a model is involved
more than once in the same query with a distinct deferral mask.
|
|
Node.create() which has a compatible signature with Node.__init__()
takes in a single `children` argument rather than relying in unpacking
*args in Q.__init__() which calls Node.__init__().
In addition, we were often needing to unpack iterables into *args and
can instead pass a list direct to Node.create().
|
|
|
|
on PostgreSQL and MySQL.
Thanks Shai Berger for the report.
Regression in 30a01441347d5a2146af2944b29778fa0834d4be.
|
|
|
|
|
|
|
|
|
|
format is uppercased.
Follow up to aba9c2de669dcc0278c7ffde7981be91801be00b.
|
|
It accounts for differences seen on MySQL with MyISAM storage engine.
|
|
that don't support transactions.
|
|
|
|
QuerySet.select_for_update() is not supported by all databases.
Moreover it cannot be used outside of a transaction.
|
|
distinct querysets.
|
|
|
|
Always True since 6723a26e59b0b5429a0c5873941e01a2e1bdbb81.
|
|
injection on PostgreSQL.
|
|
extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
|
|
|
|
|
|
Co-Authored-By: Hasan Ramezani <hasan.r67@gmail.com>
|
|
Most QuerySet methods are mapped onto the Manager and, in general,
it isn't necessary to call .all() on the manager.
|
|
write database.
The lack of _for_write = True assignment in bulk_update prior to
accessing self.db resulted in the db_for_read database being used to
wrap batched UPDATEs in a transaction.
Also tweaked the batch queryset creation to also ensure they are
executed against the same database as the opened transaction under all
circumstances.
Refs #23646, #33501.
|
|
|
|
|
|
In these cases Black produces unexpected results, e.g.
def make_random_password(
self,
length=10,
allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789',
):
or
cursor.execute("""
SELECT ...
""",
[table name],
)
|
|
|
|
Thanks Eugene Kovalev for the initial patch, Simon Charette for the
review, and Chetan Khanna for help.
|
|
with aliases that conflict.
|
|
with bulk_update().
|
|
SQLCompiler.
|
|
objects.
Fixed in 58da81a5a372a69f0bac801c412b57f3cce5f188.
|