1
0
mirror of https://github.com/django/django.git synced 2025-10-25 14:46:09 +00:00
Commit Graph

9 Commits

Author SHA1 Message Date
Mariusz Felisiak
4ceaaee7e0 [6.0.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.

Follow up to 93cae5cb2f.

Backport of 41b43c74bd from main.
2025-10-01 08:17:15 -04:00
Jacob Walls
2d453a2a68 Refs #36152 -- Suppressed duplicate warning when using "%" in alias via values(). 2025-08-29 13:45:08 -04:00
Simon Charette
c87bfaacf8 Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
2024-08-06 08:50:08 +02:00
Mariusz Felisiak
1760ad4e8c Relaxed some query ordering assertions in various tests.
It accounts for differences seen on MySQL with MyISAM storage engine.
2022-04-14 12:12:13 +02:00
Mariusz Felisiak
93cae5cb2f Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
2022-04-11 08:59:33 +02:00
django-bot
9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Nick Pope
335c9c94ac Simplified imports from django.db and django.contrib.gis.db. 2020-02-04 13:20:06 +01:00
Claude Paroz
d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Ian Foote
39f35d4b9d Fixed #25871 -- Added expressions support to QuerySet.values(). 2016-08-18 16:05:15 -04:00