Fixes the following security issues:
CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra()
QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL
injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods.
CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL
QuerySet.explain() method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
**options argument.
For more details, see the advisory:
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 87b8676fbf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
c47ac4aa46