| Age | Commit message (Collapse) | Author |
|---|
|
control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
|
|
values()/values_list() calls.
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
|
|
This is also applicable on CockroachDB.
|
|
column aliases on PostgreSQL.
Follow-up to CVE-2025-57833.
Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak
for the reviews.
|
|
and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
|
|
Follow-up to cb13792938f2c887134eb6b5164d89f8d8f9f1bd. Refs #34437.
|
|
column aliases.
Thanks Eyal Gabay (EyalSec) for the report.
|
|
|
|
Manually reformatted some long docstrings and comments that would be
damaged by the to-be-applied autofixer script, in cases where editorial
judgment seemed necessary for style or wording changes.
|
|
Unintentional support existed only on SQLite and Oracle.
|
|
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.
Refs #28900.
Thanks Jeff Iadarola for the report and tests.
Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com>
|
|
alias.
Regression in ed0cbc8d8b314e3b4a0305d0be3cf366d8ee4a74.
|
|
Aggregation optimization didn't account for not referenced set-returning annotations on Postgres.
Co-authored-by: Simon Charette <charette.s@gmail.com>
|
|
Previously the order was always extra_fields + model_fields + annotations with
respective local ordering inferred from the insertion order of *selected.
This commits introduces a new `Query.selected` propery that keeps tracks of the
global select order as specified by on values assignment. This is crucial
feature to allow the combination of queries mixing annotations and table
references.
It also allows the removal of the re-ordering shenanigans perform by
ValuesListIterable in order to re-map the tuples returned from the database
backend to the order specified by values_list() as they'll be in the right
order at query compilation time.
Refs #28553 as the initially reported issue that was only partially fixed
for annotations by d6b6e5d0fd4e6b6d0183b4cf6e4bd4f9afc7bf67.
Thanks Mariusz Felisiak and Sarah Boyce for review.
|
|
While the add_fields() call from set_values() does trigger validation it
does so after annotations are masked resulting in them being excluded
from the choices of valid options surfaced through a FieldError.
|
|
Thanks Simon Charette for reviews.
|
|
Adjusting WhereNode.as_sql() to raise an exception when encoutering a
full match just like with empty matches ensures that all case are
explicitly handled.
|
|
No core backend require the feature anymore as it was only added to
support a MySQL'ism that has been deprecated since then.
|
|
assertQuerySetEqual().
Co-Authored-By: Michael Howitz <mh@gocept.com>
|
|
alias().
This fixes clearing selected fields.
|
|
It accounts for differences seen on MySQL with MyISAM storage engine.
|
|
extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
|
|
CombinedExpression.
|
|
|
|
|
|
In these cases Black produces unexpected results, e.g.
def make_random_password(
self,
length=10,
allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789',
):
or
cursor.execute("""
SELECT ...
""",
[table name],
)
|
|
|
|
Thanks Simon Charette for the review and implementation idea.
|
|
|
|
|
|
failures.
Co-authored-by: Tim Graham <timograham@gmail.com>
|
|
expressions.
Thanks Mariusz Felisiak and Simon Charette for reviews.
|
|
Thanks Gordon Wrigley for the report.
Regression in df32fd42b84cc6dbba173201f244491b0d154a63.
|
|
Regression in 42c08ee46539ef44f8658ebb1cbefb408e0d03fe.
Thanks Simon Charette for the review.
|
|
|
|
Thanks Gordon Wrigley for the report.
Regression in 8a6df55f2dd5131282084a4edfd48f63fbf8c69a.
|
|
|
|
QuerySet.alias() allows creating reusable aliases for expressions that
don't need to be selected but are used for filtering, ordering, or as
a part of complex expressions.
Thanks Simon Charette for reviews.
|
|
Fixed inner imports per isort 5.
isort 5.0.0 to 5.1.0 was unstable.
|
|
|
|
combined expressions.
Thanks Thodoris Sotiropoulos for the report and Simon Charette for the
implementation idea.
Regression in df32fd42b84cc6dbba173201f244491b0d154a63.
|
|
expressions.
Regression in df32fd42b84cc6dbba173201f244491b0d154a63.
Thanks Simon Charette for the review.
|
|
Regression in 3a941230c85b2702a5e1cd97e17251ce21057efa.
Thanks Tomasz Szymański for the report.
|
|
Exists() annotation and aggregation on Oracle.
Oracle requires the EXISTS expression to be wrapped in a CASE WHEN in
the GROUP BY clause.
Regression in efa1908f662c19038a944129c81462485c4a9fe8.
|
|
after annotate() with aggregations and subqueries.
Subquery annotation references must be resolved if they are excluded
from the GROUP BY clause by a following .values() call.
Regression in fb3f034f1c63160c0ff13c609acd01c18be12f80.
Thanks Makina Corpus for the report.
|
|
Follow up to 6461583b6cc257d25880ef9a9fd7e2125ac53ce1.
|
|
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Co-Authored-By: Hasan Ramezani <hasan.r67@gmail.com>
|
|
It accounts for differences seen on cockroachdb.
|
|
|
|
Now that subquery annotations aren't included in the GROUP BY unless
explicitly grouped against, the test works on Oracle.
|
