From 259dff061a9ea85f061ff71c0adb0e07ead693d3 Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Wed, 21 Jan 2026 18:00:13 -0500 Subject: [6.0.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods. This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main. --- django/db/models/sql/query.py | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'django/db/models/sql/query.py') diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 9eaaec1c8a..12d1a6a937 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -1726,6 +1726,11 @@ class Query(BaseExpression): return target_clause, needed_inner def add_filtered_relation(self, filtered_relation, alias): + if "." in alias: + raise ValueError( + "FilteredRelation doesn't support aliases with periods " + "(got %r)." % alias + ) self.check_alias(alias) filtered_relation.alias = alias relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( -- cgit v1.3