summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorSimon Charette <charette.s@gmail.com>2024-07-25 12:19:13 -0400
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-08-06 08:51:22 +0200
commite2583fbc2ebffce11b4444a7cec6336513e81f8b (patch)
tree24443b83a5e5fb822a0b738653d5357a577dbda8 /django
parentbd807c0c25ab69361a4c08edcc1cf04d4652aa0a (diff)
[5.1.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
Diffstat (limited to 'django')
-rw-r--r--django/db/models/sql/query.py2
1 files changed, 2 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index a7bc0610c8..293856d86f 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -2442,6 +2442,8 @@ class Query(BaseExpression):
self.has_select_fields = True
if fields:
+ for field in fields:
+ self.check_alias(field)
field_names = []
extra_names = []
annotation_names = []