diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2025-09-10 09:53:52 +0200 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2025-10-01 08:24:18 -0400 |
| commit | 52fbae0a4dbbe5faa59827f8f05694a0065cc135 (patch) | |
| tree | ff699ccf99b28a8319387ecf8fcc10cebf2dbd43 /tests/aggregation | |
| parent | 1794cbf961f9ea54715fb094fe8adc80a5054947 (diff) | |
[5.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
Diffstat (limited to 'tests/aggregation')
| -rw-r--r-- | tests/aggregation/tests.py | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py index bf44c4d25f..2e41f19947 100644 --- a/tests/aggregation/tests.py +++ b/tests/aggregation/tests.py @@ -2136,8 +2136,8 @@ class AggregateTestCase(TestCase): def test_alias_sql_injection(self): crafted_alias = """injected_name" from "aggregation_author"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Author.objects.aggregate(**{crafted_alias: Avg("age")}) |
