Jake Howard 0c0f5c2178 [6.0.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. ...

Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.

Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.

Backport of e891a84c7e from main.

2026-02-03 08:03:39 -05:00

..

__init__.py

Merged regressiontests and modeltests into the test root.

2013-02-26 14:36:57 +01:00

models.py

Applied Black's 2024 stable style.

2024-01-26 12:45:07 +01:00

test_bulk_update.py

Refs #36419 -- Fixed BulkUpdateTests.test_json_field_sql_null() crash on Oracle.

2025-06-10 08:40:47 +02:00

test_contains.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

test_db_returning.py

Refs #27222 -- Restored Model.save()'s refreshing of db_returning fields even if a value is set.

2025-09-17 07:50:08 -04:00

test_explain.py

Fixed #35856 -- Added QuerySet.explain() support for MEMORY/SERIALIZE option on PostgreSQL 17+.

2024-10-30 15:54:48 +01:00

test_iterator.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

test_q.py

[6.0.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg.

2025-11-05 09:29:44 -03:00

test_qs_combinators.py

Fixed #36388 -- Made QuerySet.union() return self when called with no arguments.

2025-05-19 10:34:14 +02:00

test_query.py

Refs #33308 -- Avoided passing None to RawSQL's params.

2022-12-02 10:56:09 +01:00

test_sqlcompiler.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

tests.py

[6.0.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.

2026-02-03 08:03:39 -05:00