summaryrefslogtreecommitdiff
path: root/tests/aggregation
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2025-09-10 09:53:52 +0200
committerJacob Walls <jacobtylerwalls@gmail.com>2025-10-01 08:17:15 -0400
commit4ceaaee7e04b416fc465e838a6ef43ca0ccffafe (patch)
tree8e22224e519d210f988927cfc4ecac938edb1606 /tests/aggregation
parentee0610673b7ab40f2a62a1879307c3ff16540b81 (diff)
[6.0.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
Diffstat (limited to 'tests/aggregation')
-rw-r--r--tests/aggregation/tests.py4
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py
index bd33a532b3..f2ec4bd343 100644
--- a/tests/aggregation/tests.py
+++ b/tests/aggregation/tests.py
@@ -2244,8 +2244,8 @@ class AggregateTestCase(TestCase):
def test_alias_sql_injection(self):
crafted_alias = """injected_name" from "aggregation_author"; --"""
msg = (
- "Column aliases cannot contain whitespace characters, quotation marks, "
- "semicolons, or SQL comments."
+ "Column aliases cannot contain whitespace characters, hashes, quotation "
+ "marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Author.objects.aggregate(**{crafted_alias: Avg("age")})