Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL injection in column aliases on PostgreSQL.

Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-11-17 17:09:54 -0500
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-12-02 09:21:07 -0300
commit: 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e (patch)
tree: eb7a0093990c453a453a178f67e3302da24df188 /django/db/backends/postgresql
parent: cb1d2854ed2b13799f2b0cc6e04019df181bacd4 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/django/db/backends/postgresql/compiler.py b/django/db/backends/postgresql/compiler.py
index 48d0ccfd9d..08d78e333a 100644
--- a/django/db/backends/postgresql/compiler.py
+++ b/django/db/backends/postgresql/compiler.py
@@ -1,6 +1,6 @@
 from django.db.models.sql.compiler import (  # isort:skip
     SQLAggregateCompiler,
-    SQLCompiler,
+    SQLCompiler as BaseSQLCompiler,
     SQLDeleteCompiler,
     SQLInsertCompiler as BaseSQLInsertCompiler,
     SQLUpdateCompiler,
@@ -25,6 +25,15 @@ class InsertUnnest(list):
         return "UNNEST(%s)" % ", ".join(self)
 
 
+class SQLCompiler(BaseSQLCompiler):
+    def quote_name_unless_alias(self, name):
+        if "$" in name:
+            raise ValueError(
+                "Dollar signs are not permitted in column aliases on PostgreSQL."
+            )
+        return super().quote_name_unless_alias(name)
+
+
 class SQLInsertCompiler(BaseSQLInsertCompiler):
     def assemble_as_sql(self, fields, value_rows):
         # Specialize bulk-insertion of literal values through UNNEST to
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-11-17 17:09:54 -0500
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-12-02 09:21:07 -0300
commit	5b90ca1e7591fa36fccf2d6dad67cf1477e6293e (patch)
tree	eb7a0093990c453a453a178f67e3302da24df188 /django/db/backends/postgresql
parent	cb1d2854ed2b13799f2b0cc6e04019df181bacd4 (diff)