From 01d2d770e22bffe53c7f1e611e2bbca94cb8a2e7 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Wed, 10 Sep 2025 09:53:52 +0200 Subject: [5.1.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. --- django/db/models/sql/query.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'django/db/models/sql/query.py') diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 332e4f2ac6..b39b74322b 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -47,9 +47,9 @@ from django.utils.tree import Node __all__ = ["Query", "RawQuery"] -# Quotation marks ('"`[]), whitespace characters, semicolons, or inline +# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline # SQL comments are forbidden in column aliases. -FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/") +FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/") # Inspired from # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS @@ -1184,8 +1184,8 @@ class Query(BaseExpression): def check_alias(self, alias): if FORBIDDEN_ALIAS_PATTERN.search(alias): raise ValueError( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, " + "quotation marks, semicolons, or SQL comments." ) def add_annotation(self, annotation, alias, select=True): -- cgit v1.3