Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						4ceaaee7e0 
					 
					
						
						
							
							[6.0.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.  
						
						... 
						
						
						
						Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f41b43c74bd 
						
						
					 
					
						2025-10-01 08:17:15 -04:00 
						 
				 
			
				
					
						
							
							
								Jake Howard 
							
						 
					 
					
						
						
							
						
						5171171709 
					 
					
						
						
							
							Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.  
						
						... 
						
						
						
						Thanks Eyal Gabay (EyalSec) for the report. 
						
						
					 
					
						2025-09-03 13:10:58 +02:00 
						 
				 
			
				
					
						
							
							
								Jacob Walls 
							
						 
					 
					
						
						
							
						
						de7bb7eab8 
					 
					
						
						
							
							Refs  #36210  -- Added missing limits in Subquery tests.  
						
						
						
						
					 
					
						2025-08-07 14:28:44 +02:00 
						 
				 
			
				
					
						
							
							
								Mike Edmunds 
							
						 
					 
					
						
						
							
						
						55b0cc2131 
					 
					
						
						
							
							Refs  #36500  -- Shortened some long docstrings and comments.  
						
						... 
						
						
						
						Manually reformatted some long docstrings and comments that would be
damaged by the to-be-applied autofixer script, in cases where editorial
judgment seemed necessary for style or wording changes. 
						
						
					 
					
						2025-07-23 20:17:55 -03:00 
						 
				 
			
				
					
						
							
							
								Jacob Walls 
							
						 
					 
					
						
						
							
						
						8ede411a81 
					 
					
						
						
							
							Fixed   #36152  -- Deprecated use of "%" in column aliases.  
						
						... 
						
						
						
						Unintentional support existed only on SQLite and Oracle. 
						
						
					 
					
						2025-06-20 08:25:22 +02:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						12b771a1ec 
					 
					
						
						
							
							Fixed   #36299  -- Prevented field selection on QuerySet.alias() after values().  
						
						... 
						
						
						
						Regression in 65ad4ade74#28900 .
Thanks Jeff Iadarola for the report and tests.
Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com > 
						
						
					 
					
						2025-04-05 20:43:50 +02:00 
						 
				 
			
				
					
						
							
							
								Vinko Mlačić 
							
						 
					 
					
						
						
							
						
						c6ace896a2 
					 
					
						
						
							
							Fixed   #36155  -- Improved error handling when annotate arguments require an alias.  
						
						... 
						
						
						
						Regression in ed0cbc8d8b 
						
						
					 
					
						2025-01-30 11:17:17 +00:00 
						 
				 
			
				
					
						
							
							
								Devin Cox 
							
						 
					 
					
						
						
							
						
						e03083917d 
					 
					
						
						
							
							Fixed   #35586  -- Added support for set-returning database functions.  
						
						... 
						
						
						
						Aggregation optimization didn't account for not referenced set-returning annotations on Postgres.
Co-authored-by: Simon Charette <charette.s@gmail.com > 
						
						
					 
					
						2024-08-12 15:35:19 +02:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						65ad4ade74 
					 
					
						
						
							
							Refs  #28900  -- Made SELECT respect the order specified by values(*selected).  
						
						... 
						
						
						
						Previously the order was always extra_fields + model_fields + annotations with
respective local ordering inferred from the insertion order of *selected.
This commits introduces a new `Query.selected` propery that keeps tracks of the
global select order as specified by on values assignment. This is crucial
feature to allow the combination of queries mixing annotations and table
references.
It also allows the removal of the re-ordering shenanigans perform by
ValuesListIterable in order to re-map the tuples returned from the database
backend to the order specified by values_list() as they'll be in the right
order at query compilation time.
Refs #28553  as the initially reported issue that was only partially fixed
for annotations by d6b6e5d0fd 
						
						
					 
					
						2024-07-03 16:36:25 +02:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						cb13792938 
					 
					
						
						
							
							Fixed   #34437  -- Made values() resolving error mention selected annotations.  
						
						... 
						
						
						
						While the add_fields() call from set_values() does trigger validation it
does so after annotations are masked resulting in them being excluded
from the choices of valid options surfaced through a FieldError. 
						
						
					 
					
						2023-03-25 20:22:45 +01:00 
						 
				 
			
				
					
						
							
							
								Raj Desai 
							
						 
					 
					
						
						
							
						
						246eb4836a 
					 
					
						
						
							
							Fixed   #34254  -- Fixed return value of Exists() with empty queryset.  
						
						... 
						
						
						
						Thanks Simon Charette for reviews. 
						
						
					 
					
						2023-01-26 19:54:48 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						76e37513e2 
					 
					
						
						
							
							Refs  #33374  -- Adjusted full match condition handling.  
						
						... 
						
						
						
						Adjusting WhereNode.as_sql() to raise an exception when encoutering a
full match just like with empty matches ensures that all case are
explicitly handled. 
						
						
					 
					
						2022-11-07 20:23:53 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						5f09ab8c30 
					 
					
						
						
							
							Refs  #17144  -- Removed support for grouping by primary key.  
						
						... 
						
						
						
						No core backend require the feature anymore as it was only added to
support a MySQL'ism that has been deprecated since then. 
						
						
					 
					
						2022-11-07 12:21:29 +01:00 
						 
				 
			
				
					
						
							
							
								Gregor Gärtner 
							
						 
					 
					
						
						
							
						
						f0c06f8ab7 
					 
					
						
						
							
							Refs  #33990  -- Renamed TransactionTestCase.assertQuerysetEqual() to assertQuerySetEqual().  
						
						... 
						
						
						
						Co-Authored-By: Michael Howitz <mh@gocept.com > 
						
						
					 
					
						2022-10-08 08:07:38 +02:00 
						 
				 
			
				
					
						
							
							
								DevilsAutumn 
							
						 
					 
					
						
						
							
						
						32797e7fbf 
					 
					
						
						
							
							Fixed   #33975  -- Fixed __in lookup when rhs is a queryset with annotate() and alias().  
						
						... 
						
						
						
						This fixes clearing selected fields. 
						
						
					 
					
						2022-09-09 08:37:46 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						1760ad4e8c 
					 
					
						
						
							
							Relaxed some query ordering assertions in various tests.  
						
						... 
						
						
						
						It accounts for differences seen on MySQL with MyISAM storage engine. 
						
						
					 
					
						2022-04-14 12:12:13 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						93cae5cb2f 
					 
					
						
						
							
							Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.  
						
						... 
						
						
						
						Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report. 
						
						
					 
					
						2022-04-11 08:59:33 +02:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						04ad0f26ba 
					 
					
						
						
							
							Refs  #33397  -- Added extra tests for resolving an output_field of CombinedExpression.  
						
						
						
						
					 
					
						2022-03-30 11:03:48 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						7119f40c98 
					 
					
						
						
							
							Refs  #33476  -- Refactored code to strictly match 88 characters line length.  
						
						
						
						
					 
					
						2022-02-07 20:37:05 +01:00 
						 
				 
			
				
					
						
							
							
								django-bot 
							
						 
					 
					
						
						
							
						
						9c19aff7c7 
					 
					
						
						
							
							Refs  #33476  -- Reformatted code with Black.  
						
						
						
						
					 
					
						2022-02-07 20:37:05 +01:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						c5cd878382 
					 
					
						
						
							
							Refs  #33476  -- Refactored problematic code before reformatting by Black.  
						
						... 
						
						
						
						In these cases Black produces unexpected results, e.g.
def make_random_password(
    self,
    length=10,
    allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789',
):
or
cursor.execute("""
SELECT ...
""",
    [table name],
) 
						
						
					 
					
						2022-02-03 11:20:46 +01:00 
						 
				 
			
				
					
						
							
							
								David Wobrock 
							
						 
					 
					
						
						
							
						
						72b23c04d8 
					 
					
						
						
							
							Fixed   #33374  -- Fixed ExpressionWrapper annotations with full queryset.  
						
						
						
						
					 
					
						2021-12-21 06:17:04 +01:00 
						 
				 
			
				
					
						
							
							
								David Wobrock 
							
						 
					 
					
						
						
							
						
						dd1fa3a31b 
					 
					
						
						
							
							Fixed   #33018  -- Fixed annotations with empty queryset.  
						
						... 
						
						
						
						Thanks Simon Charette for the review and implementation idea. 
						
						
					 
					
						2021-09-29 20:23:29 +02:00 
						 
				 
			
				
					
						
							
							
								Mads Jensen 
							
						 
					 
					
						
						
							
						
						c51bf80d56 
					 
					
						
						
							
							Used more specific unittest assertions in tests.  
						
						
						
						
					 
					
						2021-07-07 10:51:38 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						d992f4e3c2 
					 
					
						
						
							
							Refs  #31369  -- Removed models.NullBooleanField per deprecation timeline.  
						
						
						
						
					 
					
						2021-01-14 17:50:04 +01:00 
						 
				 
			
				
					
						
							
							
								Hasan Ramezani 
							
						 
					 
					
						
						
							
						
						275dd4ebba 
					 
					
						
						
							
							Fixed   #32178  -- Allowed database backends to skip tests and mark expected failures.  
						
						... 
						
						
						
						Co-authored-by: Tim Graham <timograham@gmail.com > 
						
						
					 
					
						2020-12-10 18:00:57 +01:00 
						 
				 
			
				
					
						
							
							
								Ian Foote 
							
						 
					 
					
						
						
							
						
						8b040e3cbb 
					 
					
						
						
							
							Fixed   #25534 ,  Fixed   #31639  -- Added support for transform references in expressions.  
						
						... 
						
						
						
						Thanks Mariusz Felisiak and Simon Charette for reviews. 
						
						
					 
					
						2020-11-27 20:42:04 +01:00 
						 
				 
			
				
					
						
							
							
								Hasan Ramezani 
							
						 
					 
					
						
						
							
						
						fe9c7ded29 
					 
					
						
						
							
							Fixed   #32200  -- Fixed grouping by ExpressionWrapper() with Q objects.  
						
						... 
						
						
						
						Thanks Gordon Wrigley for the report.
Regression in df32fd42b8 
						
						
					 
					
						2020-11-19 21:00:04 +01:00 
						 
				 
			
				
					
						
							
							
								Christian Klus 
							
						 
					 
					
						
						
							
						
						4ac2d4fa42 
					 
					
						
						
							
							Fixed   #32152  -- Fixed grouping by subquery aliases.  
						
						... 
						
						
						
						Regression in 42c08ee465 
						
						
					 
					
						2020-10-29 09:56:09 +01:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						3a9f192b13 
					 
					
						
						
							
							Refs  #32007  -- Skipped test_q_expression_annotation_with_aggregation on Oracle.  
						
						
						
						
					 
					
						2020-09-16 11:47:02 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						eaf9764d3b 
					 
					
						
						
							
							Fixed   #32007  -- Fixed queryset crash with Q() annotation and aggregation.  
						
						... 
						
						
						
						Thanks Gordon Wrigley for the report.
Regression in 8a6df55f2d 
						
						
					 
					
						2020-09-15 11:40:59 +02:00 
						 
				 
			
				
					
						
							
							
								Ahmad A. Hussein 
							
						 
					 
					
						
						
							
						
						493b26bbfc 
					 
					
						
						
							
							Fixed   #31888  -- Avoided module-level MySQL queries in tests.  
						
						
						
						
					 
					
						2020-08-17 09:31:16 +02:00 
						 
				 
			
				
					
						
							
							
								Alexandr Tatarinov 
							
						 
					 
					
						
						
							
						
						f4ac167119 
					 
					
						
						
							
							Fixed   #27719  -- Added QuerySet.alias() to allow creating reusable aliases.  
						
						... 
						
						
						
						QuerySet.alias() allows creating reusable aliases for expressions that
don't need to be selected but are used for filtering, ordering, or as
a part of complex expressions.
Thanks Simon Charette for reviews. 
						
						
					 
					
						2020-07-31 13:19:33 +02:00 
						 
				 
			
				
					
						
							
							
								David Smith 
							
						 
					 
					
						
						
							
						
						e74b3d724e 
					 
					
						
						
							
							Bumped minimum isort version to 5.1.0.  
						
						... 
						
						
						
						Fixed inner imports per isort 5.
isort 5.0.0 to 5.1.0 was unstable. 
						
						
					 
					
						2020-07-30 10:58:59 +02:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						156a2138db 
					 
					
						
						
							
							Refs  #30446  -- Removed unnecessary Value(..., output_field) in docs and tests.  
						
						
						
						
					 
					
						2020-07-15 10:58:38 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						8a6df55f2d 
					 
					
						
						
							
							Fixed   #31773  -- Fixed preserving output_field in ExpressionWrapper for combined expressions.  
						
						... 
						
						
						
						Thanks Thodoris Sotiropoulos for the report and Simon Charette for the
implementation idea.
Regression in df32fd42b8 
						
						
					 
					
						2020-07-09 11:55:03 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						aeb8996a67 
					 
					
						
						
							
							Fixed   #31659  -- Made ExpressionWrapper preserve output_field for combined expressions.  
						
						... 
						
						
						
						Regression in df32fd42b8 
						
						
					 
					
						2020-06-12 07:20:06 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						78ad4b4b02 
					 
					
						
						
							
							Fixed   #31660  -- Fixed queryset crash when grouping by m2o relation.  
						
						... 
						
						
						
						Regression in 3a941230c8 
						
						
					 
					
						2020-06-08 07:21:54 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						3a941230c8 
					 
					
						
						
							
							Fixed   #31584  -- Fixed crash when chaining values()/values_list() after Exists() annotation and aggregation on Oracle.  
						
						... 
						
						
						
						Oracle requires the EXISTS expression to be wrapped in a CASE WHEN in
the GROUP BY clause.
Regression in efa1908f66 
						
						
					 
					
						2020-05-14 15:07:08 +02:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						42c08ee465 
					 
					
						
						
							
							Fixed   #31566  -- Fixed aliases crash when chaining values()/values_list() after annotate() with aggregations and subqueries.  
						
						... 
						
						
						
						Subquery annotation references must be resolved if they are excluded
from the GROUP BY clause by a following .values() call.
Regression in fb3f034f1c 
						
						
					 
					
						2020-05-14 08:16:16 +02:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						9100c664db 
					 
					
						
						
							
							Relaxed some query ordering assertions in tests.  
						
						... 
						
						
						
						It accounts for differences seen on cockroachdb. 
						
						
					 
					
						2019-11-18 12:32:37 +01:00 
						 
				 
			
				
					
						
							
							
								can 
							
						 
					 
					
						
						
							
						
						52545e788d 
					 
					
						
						
							
							Fixed   #28289  -- Fixed crash of RawSQL annotations on inherited model fields.  
						
						
						
						
					 
					
						2019-07-11 08:27:15 +02:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						e595a713cc 
					 
					
						
						
							
							Refs  #29542 ,  #30158  -- Enabled a HAVING subquery filter test on Oracle.  
						
						... 
						
						
						
						Now that subquery annotations aren't included in the GROUP BY unless
explicitly grouped against, the test works on Oracle. 
						
						
					 
					
						2019-03-21 18:48:41 -04:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						dd3b470719 
					 
					
						
						
							
							Fixed   #29542  -- Fixed invalid SQL if a Subquery from the HAVING clause is used in the GROUP BY clause.  
						
						... 
						
						
						
						Thanks Tim Graham for the review. 
						
						
					 
					
						2018-07-14 12:03:22 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						0e64e046a4 
					 
					
						
						
							
							Fixed   #29530  -- Fixed aliases ordering when chaining annotate() and filter().  
						
						
						
						
					 
					
						2018-07-02 21:09:29 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						4ab1f559e8 
					 
					
						
						
							
							Fixed   #29416  -- Removed unnecesary subquery from GROUP BY clause on MySQL when using a RawSQL annotation.  
						
						... 
						
						
						
						Regression in 1d070d027c 
						
						
					 
					
						2018-05-27 18:25:19 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						5fa4f40f45 
					 
					
						
						
							
							Fixed   #29227  -- Allowed BooleanField to be null=True.  
						
						... 
						
						
						
						Thanks Lynn Cyrin for contributing to the patch, and Nick Pope for review. 
						
						
					 
					
						2018-03-20 12:10:10 -04:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						362813d628 
					 
					
						
						
							
							Fixed hanging indentation in various code.  
						
						
						
						
					 
					
						2018-03-16 10:54:34 +01:00 
						 
				 
			
				
					
						
							
							
								Robin Ramael 
							
						 
					 
					
						
						
							
						
						fbf647287e 
					 
					
						
						
							
							Fixed   #28811  -- Fixed crash when combining regular and group by annotations.  
						
						
						
						
					 
					
						2018-01-03 08:24:16 -05:00 
						 
				 
			
				
					
						
							
							
								Sergey Fedoseev 
							
						 
					 
					
						
						
							
						
						ebc4ee3369 
					 
					
						
						
							
							Refs  #23941  -- Prevented incorrect rounding of DecimalField annotations on SQLite.  
						
						
						
						
					 
					
						2017-12-21 19:50:56 -05:00