Backport of e937be3 from main.

Co-authored-by: Jake Howard <git@theorangeone.net>

Backport of c08ed08 from main.

…/5.2.10.txt.

Backport of 2be860d from main.

Backport of b30e09a from main.

…() in mod_wsgi auth handler.

Refs CVE-2024-39329, #20760.

Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 3eb814e from main.

…ASGI requests.

Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.

Backport of eb22e1d from main.

…d lookups via band index.

Thanks Tarek Nakkouch for the report, and Simon Charette for the initial
triage and review.

Backport of 81aa529 from main.

…s.text.Truncator for HTML input.

The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.

The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.

Refs #30686 and 6ee37ad.

Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.

Backport of a33540b from main.

…umn aliases via control characters.

Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.

Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.

Backport of e891a84 from main.

…n via aliases with periods.

Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.

In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.

Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.

Backport of 69065ca from main.

… aliases contain periods.

This prevents failures at the database layer, given that aliases in the
ON clause are not quoted.

Systematically quoting aliases even in FilteredRelation is tracked in
https://code.djangoproject.com/ticket/36795.

Backport of 005d60d from main.