1
0
mirror of https://github.com/django/django.git synced 2025-10-26 07:06:08 +00:00
Commit Graph

78 Commits

Author SHA1 Message Date
Mariusz Felisiak
41b43c74bd Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.

Follow up to 93cae5cb2f.
2025-10-01 08:11:45 -04:00
Shubham Singh
dce1b9c2de Fixed #36480 -- Made values() resolving error mention unselected aliases.
Follow-up to cb13792938. Refs #34437.
2025-09-22 08:35:53 -04:00
Jake Howard
5171171709 Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report.
2025-09-03 13:10:58 +02:00
Jacob Walls
de7bb7eab8 Refs #36210 -- Added missing limits in Subquery tests. 2025-08-07 14:28:44 +02:00
Mike Edmunds
55b0cc2131 Refs #36500 -- Shortened some long docstrings and comments.
Manually reformatted some long docstrings and comments that would be
damaged by the to-be-applied autofixer script, in cases where editorial
judgment seemed necessary for style or wording changes.
2025-07-23 20:17:55 -03:00
Jacob Walls
8ede411a81 Fixed #36152 -- Deprecated use of "%" in column aliases.
Unintentional support existed only on SQLite and Oracle.
2025-06-20 08:25:22 +02:00
Simon Charette
12b771a1ec Fixed #36299 -- Prevented field selection on QuerySet.alias() after values().
Regression in 65ad4ade74.

Refs #28900.

Thanks Jeff Iadarola for the report and tests.

Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com>
2025-04-05 20:43:50 +02:00
Vinko Mlačić
c6ace896a2 Fixed #36155 -- Improved error handling when annotate arguments require an alias.
Regression in ed0cbc8d8b.
2025-01-30 11:17:17 +00:00
Devin Cox
e03083917d Fixed #35586 -- Added support for set-returning database functions.
Aggregation optimization didn't account for not referenced set-returning annotations on Postgres.

Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-12 15:35:19 +02:00
Simon Charette
65ad4ade74 Refs #28900 -- Made SELECT respect the order specified by values(*selected).
Previously the order was always extra_fields + model_fields + annotations with
respective local ordering inferred from the insertion order of *selected.

This commits introduces a new `Query.selected` propery that keeps tracks of the
global select order as specified by on values assignment. This is crucial
feature to allow the combination of queries mixing annotations and table
references.

It also allows the removal of the re-ordering shenanigans perform by
ValuesListIterable in order to re-map the tuples returned from the database
backend to the order specified by values_list() as they'll be in the right
order at query compilation time.

Refs #28553 as the initially reported issue that was only partially fixed
for annotations by d6b6e5d0fd.

Thanks Mariusz Felisiak and Sarah Boyce for review.
2024-07-03 16:36:25 +02:00
Simon Charette
cb13792938 Fixed #34437 -- Made values() resolving error mention selected annotations.
While the add_fields() call from set_values() does trigger validation it
does so after annotations are masked resulting in them being excluded
from the choices of valid options surfaced through a FieldError.
2023-03-25 20:22:45 +01:00
Raj Desai
246eb4836a Fixed #34254 -- Fixed return value of Exists() with empty queryset.
Thanks Simon Charette for reviews.
2023-01-26 19:54:48 +01:00
Simon Charette
76e37513e2 Refs #33374 -- Adjusted full match condition handling.
Adjusting WhereNode.as_sql() to raise an exception when encoutering a
full match just like with empty matches ensures that all case are
explicitly handled.
2022-11-07 20:23:53 +01:00
Simon Charette
5f09ab8c30 Refs #17144 -- Removed support for grouping by primary key.
No core backend require the feature anymore as it was only added to
support a MySQL'ism that has been deprecated since then.
2022-11-07 12:21:29 +01:00
Gregor Gärtner
f0c06f8ab7 Refs #33990 -- Renamed TransactionTestCase.assertQuerysetEqual() to assertQuerySetEqual().
Co-Authored-By: Michael Howitz <mh@gocept.com>
2022-10-08 08:07:38 +02:00
DevilsAutumn
32797e7fbf Fixed #33975 -- Fixed __in lookup when rhs is a queryset with annotate() and alias().
This fixes clearing selected fields.
2022-09-09 08:37:46 +02:00
Mariusz Felisiak
1760ad4e8c Relaxed some query ordering assertions in various tests.
It accounts for differences seen on MySQL with MyISAM storage engine.
2022-04-14 12:12:13 +02:00
Mariusz Felisiak
93cae5cb2f Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
2022-04-11 08:59:33 +02:00
Luke Plant
04ad0f26ba Refs #33397 -- Added extra tests for resolving an output_field of CombinedExpression. 2022-03-30 11:03:48 +02:00
Mariusz Felisiak
7119f40c98 Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-07 20:37:05 +01:00
django-bot
9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Mariusz Felisiak
c5cd878382 Refs #33476 -- Refactored problematic code before reformatting by Black.
In these cases Black produces unexpected results, e.g.

def make_random_password(
    self,
    length=10,
    allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789',
):

or

cursor.execute("""
SELECT ...
""",
    [table name],
)
2022-02-03 11:20:46 +01:00
David Wobrock
72b23c04d8 Fixed #33374 -- Fixed ExpressionWrapper annotations with full queryset. 2021-12-21 06:17:04 +01:00
David Wobrock
dd1fa3a31b Fixed #33018 -- Fixed annotations with empty queryset.
Thanks Simon Charette for the review and implementation idea.
2021-09-29 20:23:29 +02:00
Mads Jensen
c51bf80d56 Used more specific unittest assertions in tests. 2021-07-07 10:51:38 +02:00
Mariusz Felisiak
d992f4e3c2 Refs #31369 -- Removed models.NullBooleanField per deprecation timeline. 2021-01-14 17:50:04 +01:00
Hasan Ramezani
275dd4ebba Fixed #32178 -- Allowed database backends to skip tests and mark expected failures.
Co-authored-by: Tim Graham <timograham@gmail.com>
2020-12-10 18:00:57 +01:00
Ian Foote
8b040e3cbb Fixed #25534, Fixed #31639 -- Added support for transform references in expressions.
Thanks Mariusz Felisiak and Simon Charette for reviews.
2020-11-27 20:42:04 +01:00
Hasan Ramezani
fe9c7ded29 Fixed #32200 -- Fixed grouping by ExpressionWrapper() with Q objects.
Thanks Gordon Wrigley for the report.

Regression in df32fd42b8.
2020-11-19 21:00:04 +01:00
Christian Klus
4ac2d4fa42 Fixed #32152 -- Fixed grouping by subquery aliases.
Regression in 42c08ee465.

Thanks Simon Charette for the review.
2020-10-29 09:56:09 +01:00
Mariusz Felisiak
3a9f192b13 Refs #32007 -- Skipped test_q_expression_annotation_with_aggregation on Oracle. 2020-09-16 11:47:02 +02:00
Mariusz Felisiak
eaf9764d3b Fixed #32007 -- Fixed queryset crash with Q() annotation and aggregation.
Thanks Gordon Wrigley for the report.

Regression in 8a6df55f2d.
2020-09-15 11:40:59 +02:00
Ahmad A. Hussein
493b26bbfc Fixed #31888 -- Avoided module-level MySQL queries in tests. 2020-08-17 09:31:16 +02:00
Alexandr Tatarinov
f4ac167119 Fixed #27719 -- Added QuerySet.alias() to allow creating reusable aliases.
QuerySet.alias() allows creating reusable aliases for expressions that
don't need to be selected but are used for filtering, ordering, or as
a part of complex expressions.

Thanks Simon Charette for reviews.
2020-07-31 13:19:33 +02:00
David Smith
e74b3d724e Bumped minimum isort version to 5.1.0.
Fixed inner imports per isort 5.
isort 5.0.0 to 5.1.0 was unstable.
2020-07-30 10:58:59 +02:00
Simon Charette
156a2138db Refs #30446 -- Removed unnecessary Value(..., output_field) in docs and tests. 2020-07-15 10:58:38 +02:00
Mariusz Felisiak
8a6df55f2d Fixed #31773 -- Fixed preserving output_field in ExpressionWrapper for combined expressions.
Thanks Thodoris Sotiropoulos for the report and Simon Charette for the
implementation idea.

Regression in df32fd42b8.
2020-07-09 11:55:03 +02:00
Mariusz Felisiak
aeb8996a67 Fixed #31659 -- Made ExpressionWrapper preserve output_field for combined expressions.
Regression in df32fd42b8.

Thanks Simon Charette for the review.
2020-06-12 07:20:06 +02:00
Mariusz Felisiak
78ad4b4b02 Fixed #31660 -- Fixed queryset crash when grouping by m2o relation.
Regression in 3a941230c8.

Thanks Tomasz Szymański for the report.
2020-06-08 07:21:54 +02:00
Mariusz Felisiak
3a941230c8 Fixed #31584 -- Fixed crash when chaining values()/values_list() after Exists() annotation and aggregation on Oracle.
Oracle requires the EXISTS expression to be wrapped in a CASE WHEN in
the GROUP BY clause.

Regression in efa1908f66.
2020-05-14 15:07:08 +02:00
Simon Charette
42c08ee465 Fixed #31566 -- Fixed aliases crash when chaining values()/values_list() after annotate() with aggregations and subqueries.
Subquery annotation references must be resolved if they are excluded
from the GROUP BY clause by a following .values() call.

Regression in fb3f034f1c.

Thanks Makina Corpus for the report.
2020-05-14 08:16:16 +02:00
Tim Graham
9100c664db Relaxed some query ordering assertions in tests.
It accounts for differences seen on cockroachdb.
2019-11-18 12:32:37 +01:00
can
52545e788d Fixed #28289 -- Fixed crash of RawSQL annotations on inherited model fields. 2019-07-11 08:27:15 +02:00
Simon Charette
e595a713cc Refs #29542, #30158 -- Enabled a HAVING subquery filter test on Oracle.
Now that subquery annotations aren't included in the GROUP BY unless
explicitly grouped against, the test works on Oracle.
2019-03-21 18:48:41 -04:00
Mariusz Felisiak
dd3b470719 Fixed #29542 -- Fixed invalid SQL if a Subquery from the HAVING clause is used in the GROUP BY clause.
Thanks Tim Graham for the review.
2018-07-14 12:03:22 +02:00
Mariusz Felisiak
0e64e046a4 Fixed #29530 -- Fixed aliases ordering when chaining annotate() and filter(). 2018-07-02 21:09:29 +02:00
Mariusz Felisiak
4ab1f559e8 Fixed #29416 -- Removed unnecesary subquery from GROUP BY clause on MySQL when using a RawSQL annotation.
Regression in 1d070d027c.
2018-05-27 18:25:19 -04:00
Tim Graham
5fa4f40f45 Fixed #29227 -- Allowed BooleanField to be null=True.
Thanks Lynn Cyrin for contributing to the patch, and Nick Pope for review.
2018-03-20 12:10:10 -04:00
Mariusz Felisiak
362813d628 Fixed hanging indentation in various code. 2018-03-16 10:54:34 +01:00
Robin Ramael
fbf647287e Fixed #28811 -- Fixed crash when combining regular and group by annotations. 2018-01-03 08:24:16 -05:00