The usage of the --password flag when invoking the mysql CLI has the
potential of exposing the password in plain text if the command happens
to crash due to the inclusion of args provided to
subprocess.run(check=True) in the string representation of the
subprocess.CalledProcessError exception raised on non-zero return code.
Since this has the potential of leaking the password to logging
facilities configured to capture crashes (e.g. sys.excepthook, Sentry)
it's safer to rely on the MYSQL_PWD environment variable instead even
if its usage is discouraged due to potential leak through the ps
command on old flavors of Unix.
Thanks Charlie Denton for reporting the issue to the security team.
Refs #24999.
The optimization introduced in 7acef095d7 did not properly handle
deletion involving filters against aggregate annotations.
It initially was surfaced by a MariaDB test failure but misattributed
to an undocumented change in behavior that resulted in the systemic
generation of poorly performing database queries in 5b83bae031.
Thanks Anton Plotkin for the report.
Refs #23576.
Thanks to Adam Johnson, Carlton Gibson, Mariusz Felisiak, and Raphael
Michel for mentoring this Google Summer of Code 2019 project and
everyone else who helped with the patch.
Special thanks to Mads Jensen, Nick Pope, and Simon Charette for
extensive reviews.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
The sql_flush() positional argument sequences is replaced by the boolean
keyword-only argument reset_sequences. This ensures that the old
function signature can't be used by mistake when upgrading Django. When
the new argument is True, the sequences of the truncated tables will
reset. Using a single boolean value, rather than a list, allows making a
binary yes/no choice as to whether to reset all sequences rather than a
working on a completely different set.
MySQL 8.0.3 added support for this syntax but also imposed a
restriction against ALTER TABLE RENAME on tables in a foreign key
relationship if a LOCK TABLES was active which has been lifted in MySQL
8.0.4+.
Both backends order NULLs first on ascending ordering and last on
descending ordering which makes ORDER BY IS (NOT)? NULL wasteful when
asc(nulls_first) and desc(nulls_last) are used since it prevents indice
usage.
The subtract_temporals() database operation was not handling expressions
returning SQL params in mixed database types.
Regression in 3543129822.
Thanks Reupen Shah for the report.
MySQL & MariaDB support the standard IS NULL and IS NOT NULL so
the same workaround used for NULLS FIRST and NULLS LAST that is
used for SQLite < 3.30.0 can be used.
Thanks Simon Charette for the discussion.
Hannes Ljungberg
Jordan Bae
Mariusz Felisiak
Hannes Ljungberg
Hasan Ramezani
Seamus Quinn
Simon Charette
manav014
David-Wobrock
Nick Pope
Tom Carrick
Petr Čermák
davidchorpash
Sergey Fedoseev
Adam Johnson
Tim Graham
sage
Jon Dufresne
c-bata
Rohit
Caio Ariede