1
0
mirror of https://github.com/django/django.git synced 2025-10-25 22:56:12 +00:00
Commit Graph

233 Commits

Author SHA1 Message Date
Mariusz Felisiak
4ceaaee7e0 [6.0.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.

Follow up to 93cae5cb2f.

Backport of 41b43c74bd from main.
2025-10-01 08:17:15 -04:00
django-bot
69a93a88ed Refs #36500 -- Rewrapped long docstrings and block comments via a script.
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
2025-07-23 20:17:55 -03:00
Simon Charette
21f8be76d4 Fixed #36288 -- Addressed improper handling of duplicates in values_list().
Now that selected aliases are stored in sql.Query.selected: dict[str, Any]
the values_list() method must ensures that duplicate field name references are
assigned unique aliases.

Refs #28900.

Regression in 65ad4ade74.

Thanks Claude for the report.
2025-04-11 09:04:49 +02:00
Simon Charette
41239fe34d Fixed #36149 -- Allowed subquery values against tuple exact and in lookups.
Non-tuple exact and in lookups have specialized logic for subqueries that can
be adapted to properly assign select mask if unspecified and ensure the number
of involved members are matching on both side of the operator.
2025-02-11 09:08:35 +01:00
Tim Graham
6a85c888bf Added supports_select_union skips in queries and aggregation tests. 2024-08-26 12:53:08 -03:00
Simon Charette
6d220963fa Fixed #28900 -- Propagated all selected fields to combinator queries.
Previously, only the selected column aliases would be propagated and
annotations were ignored.
2024-07-03 16:36:25 +02:00
Simon Charette
65ad4ade74 Refs #28900 -- Made SELECT respect the order specified by values(*selected).
Previously the order was always extra_fields + model_fields + annotations with
respective local ordering inferred from the insertion order of *selected.

This commits introduces a new `Query.selected` propery that keeps tracks of the
global select order as specified by on values assignment. This is crucial
feature to allow the combination of queries mixing annotations and table
references.

It also allows the removal of the re-ordering shenanigans perform by
ValuesListIterable in order to re-map the tuples returned from the database
backend to the order specified by values_list() as they'll be in the right
order at query compilation time.

Refs #28553 as the initially reported issue that was only partially fixed
for annotations by d6b6e5d0fd.

Thanks Mariusz Felisiak and Sarah Boyce for review.
2024-07-03 16:36:25 +02:00
Hisham Mahmood
d79fba7d8e Fixed #35099 -- Prevented mutating queryset when combining with & and | operators.
Thanks Alan for the report.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-02-07 12:36:30 +01:00
Nick Pope
1c3614e306 Refs #34986 -- Avoided implementation-specific unpickleable types.
The implementation of some core types differ between CPython and PyPy
and this may affect the way that pickling works such that errors are
raised in differing locations in the interpreter or not at all.

Use our own custom non-pickleable type instead to avoid these quirks.
2023-12-06 09:23:35 +01:00
Mariusz Felisiak
e69a9920e2 Fixed non-deterministic order in SubqueryTests.test_slice_subquery_and_query.
Slice on unordered subquery may be non-deterministic in some databases.
2023-08-10 05:33:13 +02:00
Simon Charette
1c4f5f314e Refs #32143 -- Removed superflous constraints on excluded query.
The outer query reference is not necessary when alias can be reused and
can even be harmful by confusing query planers.

Refs #34597.
2023-06-14 09:44:49 +02:00
Mariusz Felisiak
4d78d7338c Refs #31486 -- Removed ability to pass unsaved model instances to related filters.
Per deprecation timeline.
2023-01-17 11:49:15 +01:00
Mariusz Felisiak
3b24a3fa33 Removed unnecessary commas in tests. 2022-12-21 11:41:29 +01:00
Simon Charette
76e37513e2 Refs #33374 -- Adjusted full match condition handling.
Adjusting WhereNode.as_sql() to raise an exception when encoutering a
full match just like with empty matches ensures that all case are
explicitly handled.
2022-11-07 20:23:53 +01:00
Gregor Gärtner
f0c06f8ab7 Refs #33990 -- Renamed TransactionTestCase.assertQuerysetEqual() to assertQuerySetEqual().
Co-Authored-By: Michael Howitz <mh@gocept.com>
2022-10-08 08:07:38 +02:00
Mariusz Felisiak
d795259ea9 Replaced assertQuerysetEqual() to assertSequenceEqual()/assertCountEqual() where appropriate.
Follow up to 3f7b327562.
2022-10-07 13:05:35 +02:00
Mariusz Felisiak
37a13cc92d Refs #34012 -- Added test for ordering by transform of related fields. 2022-09-22 12:55:47 +02:00
Mariusz Felisiak
ce6230aa97 Fixed #34015 -- Allowed filtering by transforms on relation fields. 2022-09-22 00:17:04 +02:00
Simon Charette
b3db6c8dcb Fixed #21204 -- Tracked field deferrals by field instead of models.
This ensures field deferral works properly when a model is involved
more than once in the same query with a distinct deferral mask.
2022-08-30 08:43:53 +02:00
Nick Pope
769d7cce4a Used AND, OR, XOR constants instead of hard-coded values. 2022-07-27 07:55:09 +02:00
Mariusz Felisiak
1760ad4e8c Relaxed some query ordering assertions in various tests.
It accounts for differences seen on MySQL with MyISAM storage engine.
2022-04-14 12:12:13 +02:00
mgaligniana
0ad5316f22 Fixed #24296 -- Made QuerySet.exists() clear selected columns for not sliced distinct querysets. 2022-04-12 08:18:22 +02:00
mgaligniana
d2263b7b87 Refs #18414 -- Added tests for selected columns of sliced distinct querysets. 2022-04-12 08:18:22 +02:00
Mariusz Felisiak
93cae5cb2f Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
2022-04-11 08:59:33 +02:00
Ryan Heard
c6b4d62fa2 Fixed #29865 -- Added logical XOR support for Q() and querysets. 2022-03-04 12:55:37 +01:00
Albert Defler
2b6a3baebe Fixed #31486 -- Deprecated passing unsaved objects to related filters.
Co-Authored-By: Hasan Ramezani <hasan.r67@gmail.com>
2022-02-25 07:51:37 +01:00
Nick Pope
847f46e9bf Removed redundant QuerySet.all() calls in docs and tests.
Most QuerySet methods are mapped onto the Manager and, in general,
it isn't necessary to call .all() on the manager.
2022-02-22 10:29:38 +01:00
Mariusz Felisiak
7119f40c98 Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-07 20:37:05 +01:00
django-bot
9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Mariusz Felisiak
c5cd878382 Refs #33476 -- Refactored problematic code before reformatting by Black.
In these cases Black produces unexpected results, e.g.

def make_random_password(
    self,
    length=10,
    allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789',
):

or

cursor.execute("""
SELECT ...
""",
    [table name],
)
2022-02-03 11:20:46 +01:00
Ömer Faruk Abacı
81739a45b5 Fixed #33319 -- Fixed crash when combining with the | operator querysets with aliases that conflict. 2021-12-08 21:16:24 +01:00
Jacob Walls
28f66b2783 Refs #25467 -- Added test for excluding one-to-one relation with unsaved objects.
Fixed in 58da81a5a3.
2021-10-08 06:26:19 +02:00
Mariusz Felisiak
903aaa35e5 Fixed #33159 -- Reverted "Fixed #32970 -- Changed WhereNode.clone() to create a shallow copy of children."
This reverts commit e441847eca.

A shallow copy is not enough because querysets can be reused and
evaluated in nested nodes, which shouldn't mutate JOIN aliases.

Thanks Michal Čihař for the report.
2021-09-30 11:26:17 +02:00
Daniyal
f479df7f8d Refs #32508 -- Raised Type/ValueError instead of using "assert" in django.db.models.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-07-15 11:43:33 +02:00
Simon Charette
b81c7562fc Fixed #32717 -- Fixed filtering of querysets combined with the | operator.
Address a long standing bug in a Where.add optimization to discard
equal nodes that was surfaced by implementing equality for Lookup
instances in bbf141bcdc.

Thanks Shaheed Haque for the report.
2021-05-13 07:26:52 +02:00
Hasan Ramezani
8de4ca74ba Fixed #32693 -- Quoted and lowercased generated column aliases. 2021-05-04 07:36:56 +02:00
Mariusz Felisiak
c3278bb71f Used assertCountEqual() in ExcludeTests.test_exclude_subquery(). 2021-04-22 10:47:10 +02:00
Simon Charette
6d0cbe42c3 Fixed #32650 -- Fixed handling subquery aliasing on queryset combination.
This issue started manifesting itself when nesting a combined subquery
relying on exclude() since 8593e162c9 but
sql.Query.combine never properly handled subqueries outer refs in the
first place, see QuerySetBitwiseOperationTests.test_subquery_aliases()
(refs #27149).

Thanks Raffaele Salmaso for the report.
2021-04-21 09:49:15 +02:00
Mariusz Felisiak
ba9a2b7544 Refs #32508 -- Raised TypeError instead of using "assert" on unsupported operations for sliced querysets. 2021-03-10 09:16:28 +01:00
Mariusz Felisiak
06eec31970 Refs #7098 -- Removed support for passing raw column aliases to order_by().
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Hasan Ramezani
3f7b327562 Fixed #31235 -- Made assertQuerysetEqual() compare querysets directly.
This also replaces assertQuerysetEqual() to
assertSequenceEqual()/assertCountEqual() where appropriate.

Co-authored-by: Peter Inglesby <peter.inglesby@gmail.com>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-11-06 09:24:50 +01:00
Simon Charette
8593e162c9 Fixed #32143 -- Used EXISTS to exclude multi-valued relationships.
As mentioned in the pre-existing split_exclude() docstring EXISTS is
easier to optimize for query planers and circumvents the IN (NULL)
handling issue.
2020-10-28 07:22:00 +01:00
Tim Graham
73be11a266 Removed an obsolete query test that assumes serial pks.
The code from the original fix (922aba3def)
was removed in 419de7b00d.
2020-10-27 06:31:26 +01:00
Kwist
981a072dd4 Fixed #31843 -- Fixed pickling named values from QuerySet.values_list(). 2020-09-16 13:43:06 +02:00
Mariusz Felisiak
e11d05e0b4 Fixed #31990 -- Fixed QuerySet.ordered for GROUP BY queries on models with Meta.ordering.
Regression in 0ddb4ebf7b.

Thanks Julien Dutriaux for the report.
2020-09-14 20:07:44 +02:00
Hasan Ramezani
9c9a3fe118 Fixed #31783 -- Fixed crash when filtering againts "negate" field.
Thanks Simon Charette for the initial patch.
2020-07-29 08:20:58 +02:00
Jacob Walls
512da9d585 Fixed #23797 -- Fixed QuerySet.exclude() when rhs is a nullable column. 2020-07-06 10:15:37 +02:00
Nicolas Baccelli
b38d44229f Fixed #31664 -- Reallowed using non-expressions having filterable attribute as rhs in queryset filters.
Regression in 4edad1ddf6.
2020-06-08 08:17:23 +02:00
Simon Charette
94f63b926f Refs #31395 -- Relied on setUpTestData() test data isolation in various tests. 2020-05-15 20:22:56 +02:00
Simon Charette
1dd96f731d Refs #13227 -- Adjusted a test to avoid making a shared test model unpickable.
This allowed the Note model to be used in setUpTestData() which requires
assigned model instances to be copy.deepcopy()'able.
2020-05-15 20:22:51 +02:00