2022年4月11日
Django 2.2.28 fixes two security issues with severity "high" in 2.2.27.
QuerySet.annotate(), aggregate(), and extra()¶QuerySet.annotate(), aggregate(), and
extra() methods were subject to SQL injection in column
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
**kwargs passed to these methods.
QuerySet.explain(**options) on PostgreSQL¶QuerySet.explain() method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
**options argument.
7月 02, 2025