July 1, 2021
Django 3.1.13 fixes a security issue with severity “high” in 3.1.12.
QuerySet.order_by()
input¶Unsanitized user input passed to QuerySet.order_by()
could bypass intended
column reference validation in path marked for deprecation resulting in a
potential SQL injection even if a deprecation warning is emitted.
As a mitigation the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in 3.1 as a side effect of fixing #31426.
The issue is not present in the main branch as the deprecated path has been removed.
Dec 13, 2021