diff options
| author | Jake Howard <git@theorangeone.net> | 2026-01-21 11:14:48 +0000 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-02-03 07:55:04 -0500 |
| commit | e891a84c7ef9962bfcc3b4685690219542f86a22 (patch) | |
| tree | 15e63282d7b0470f3e31b91c5ecb87a238f508a2 /tests/ordering | |
| parent | a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 (diff) | |
Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
Diffstat (limited to 'tests/ordering')
0 files changed, 0 insertions, 0 deletions