mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-06-04 02:59:13 +00:00
Code Issues 32 Releases Wiki Activity

[5.2.x] Fixed #36299 -- Prevented field selection on QuerySet.alias() after values().

Browse Source 
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.

Refs #28900.

Thanks Jeff Iadarola for the report and tests.

Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com>

Backport of 12b771a1ec4bbfe82405176f5601e6441855a303 from main
This commit is contained in:
Simon Charette 2025-04-04 10:18:27 -04:00 committed by Mariusz Felisiak
parent d9bf0d07cc
commit cd1aa54f5a
3 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/db/models/sql/query.py
View File

@ -1221,7 +1221,7 @@ class Query(BaseExpression):
else: else:
self.set_annotation_mask(set(self.annotation_select).difference({alias})) self.set_annotation_mask(set(self.annotation_select).difference({alias}))
self.annotations[alias] = annotation self.annotations[alias] = annotation
if self.selected: if select and self.selected:
self.selected[alias] = alias self.selected[alias] = alias
@property @property

4
docs/releases/5.2.1.txt
View File

@ -19,3 +19,7 @@ Bugfixes
* Fixed a regression in Django 5.2 that caused a crash of * Fixed a regression in Django 5.2 that caused a crash of
``QuerySet.bulk_create()`` with nullable geometry fields on PostGIS ``QuerySet.bulk_create()`` with nullable geometry fields on PostGIS
(:ticket:`36289`). (:ticket:`36289`).
* Fixed a regression in Django 5.2 that caused fields to be incorrectly
selected when using ``QuerySet.alias()`` after ``values()``
(:ticket:`36299`).

4
tests/annotations/tests.py
View File

@ -1470,6 +1470,10 @@ class AliasTests(TestCase):
with self.assertRaisesMessage(FieldError, msg): with self.assertRaisesMessage(FieldError, msg):
getattr(qs, operation)("rating_alias") getattr(qs, operation)("rating_alias")
def test_alias_after_values(self):
qs = Book.objects.values_list("pk").alias(other_pk=F("pk"))
self.assertEqual(qs.get(pk=self.b1.pk), (self.b1.pk,))
def test_alias_sql_injection(self): def test_alias_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --""" crafted_alias = """injected_name" from "annotations_book"; --"""
msg = ( msg = (