diff options
| author | Simon Charette <charette.s@gmail.com> | 2022-06-19 23:46:22 -0400 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-07-06 09:10:41 +0200 |
| commit | 585ed2f6d7e02b64747770add0e2d3749980d73c (patch) | |
| tree | a1ba7ee315f5160fc92dc4e311901ac20d4b0846 /docs | |
| parent | 14057603c747eed7ee0bb8fe1fb34b330caa6c58 (diff) | |
[4.1.x] Refs CVE-2022-34265 -- Properly escaped Extract() and Trunc() parameters.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Backport of 877c800f255ccaa7abde1fb944de45d1616f5cc9 from main
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.1.txt | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/4.1.txt b/docs/releases/4.1.txt index ad6400c665..49bbf2dec2 100644 --- a/docs/releases/4.1.txt +++ b/docs/releases/4.1.txt @@ -459,6 +459,20 @@ backends. ``DatabaseOperations.insert_statement()`` method is replaced by ``on_conflict`` that accepts ``django.db.models.constants.OnConflict``. +* Several date and time methods on ``DatabaseOperations`` now take ``sql`` and + ``params`` arguments instead of ``field_name`` and return 2-tuple containing + some SQL and the parameters to be interpolated into that SQL. The changed + methods have these new signatures: + + * ``DatabaseOperations.date_extract_sql(lookup_type, sql, params)`` + * ``DatabaseOperations.datetime_extract_sql(lookup_type, sql, params, tzname)`` + * ``DatabaseOperations.time_extract_sql(lookup_type, sql, params)`` + * ``DatabaseOperations.date_trunc_sql(lookup_type, sql, params, tzname=None)`` + * ``DatabaseOperations.datetime_trunc_sql(self, lookup_type, sql, params, tzname)`` + * ``DatabaseOperations.time_trunc_sql(lookup_type, sql, params, tzname=None)`` + * ``DatabaseOperations.datetime_cast_date_sql(sql, params, tzname)`` + * ``DatabaseOperations.datetime_cast_time_sql(sql, params, tzname)`` + :mod:`django.contrib.gis` ------------------------- |