source/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2026-02-09 02:49:25 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
20c71f6b91324cf401056c72136c14e0ec2bf7bf
django/docs
History
Jacob Walls 90f5b10784 [4.2.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases with periods. 
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.

In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.

Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.

Backport of 69065ca869 from main.
2026-02-03 08:26:22 -05:00
..
_ext
[4.2.x] Fixed #34756 -- Fixed docs HTML build on Sphinx 7.1+.
2023-08-03 09:32:03 +02:00
_theme
Fixed docs build with sphinxcontrib-spelling 7.5.0+.
2022-05-31 11:17:01 +02:00
faq
[4.2.x] Refs #34118 -- Doc'd Python 3.12 compatibility in Django 4.2.x.
2023-11-19 16:38:33 +01:00
howto
[4.2.x] Removed obsolete sentence in custom model field docs.
2023-11-15 13:53:03 +01:00
internals
[4.2.x] Added GitHub Actions linter (zizmor).
2025-11-21 14:59:53 -05:00
intro
[4.2.x] Fixed #36402, Refs #35980 -- Updated built package name in reusable apps tutorial for PEP 625.
2025-05-26 12:38:29 -03:00
man
[4.2.x] Updated man page for Django 4.2 final.
2023-04-03 08:56:48 +02:00
misc
Fixed 32956 -- Lowercased spelling of "web" and "web framework" where appropriate.
2021-07-29 06:24:12 +02:00
ref
[4.2.x] Refs #36535 -- Doc'd that docutils < 0.22 is required.
2025-08-04 22:07:14 -03:00
releases
[4.2.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases with periods.
2026-02-03 08:26:22 -05:00
topics
[4.2.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML serializer.
2025-12-02 09:44:40 -03:00
conf.py
[4.2.x] Fixed docs build on Sphinx 8.1+.
2024-11-26 10:09:37 -03:00
contents.txt
Fixed #26020 -- Normalized header stylings in docs.
2016-01-22 12:12:17 -05:00
glossary.txt
Fixed #26020 -- Normalized header stylings in docs.
2016-01-22 12:12:17 -05:00
index.txt
[4.2.x] Added Django Forum to mailing lists page.
2023-03-24 08:58:45 +01:00
make.bat
[4.2.x] Refs #34140 -- Added configurations to run blacken-docs linter and adjusted docs.
2023-03-01 13:34:28 +01:00
Makefile
[4.2.x] Refs #34140 -- Added configurations to run blacken-docs linter and adjusted docs.
2023-03-01 13:34:28 +01:00
README.rst
Refs #25778 -- Updated sphinx-doc.org links to HTTPS.
2020-01-29 06:04:15 +01:00
requirements.txt
[4.2.x] Pinned black == 23.12.1 for blacken-docs checks.
2024-01-30 05:47:27 +01:00
spelling_wordlist
[4.2.x] Fixed #33405, Refs #7177 -- Clarified docs for filter escapejs regarding safe and unsafe usages.
2023-07-03 13:55:31 +02:00

README.rst 

The documentation in this tree is in plain text files and can be viewed using
any text file viewer.

It uses `ReST`_ (reStructuredText), and the `Sphinx`_ documentation system.
This allows it to be built into other forms for easier viewing and browsing.

To create an HTML version of the docs:

* Install Sphinx (using ``python -m pip install Sphinx`` or some other method).

* In this docs/ directory, type ``make html`` (or ``make.bat html`` on
  Windows) at a shell prompt.

The documentation in ``_build/html/index.html`` can then be viewed in a web
browser.

.. _ReST: https://docutils.sourceforge.io/rst.html
.. _Sphinx: https://www.sphinx-doc.org/
Reference in New Issue View Git Blame Copy Permalink