diff options
| author | Simon Charette <charette.s@gmail.com> | 2024-07-25 12:19:13 -0400 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-08-06 08:51:22 +0200 |
| commit | e2583fbc2ebffce11b4444a7cec6336513e81f8b (patch) | |
| tree | 24443b83a5e5fb822a0b738653d5357a577dbda8 /django | |
| parent | bd807c0c25ab69361a4c08edcc1cf04d4652aa0a (diff) | |
[5.1.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
Diffstat (limited to 'django')
| -rw-r--r-- | django/db/models/sql/query.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index a7bc0610c8..293856d86f 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -2442,6 +2442,8 @@ class Query(BaseExpression): self.has_select_fields = True if fields: + for field in fields: + self.check_alias(field) field_names = [] extra_names = [] annotation_names = [] |
