From 4c044fcc866ec226f612c475950b690b0139d243 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 13 Aug 2025 14:13:42 +0200 Subject: [5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main. --- django/db/models/sql/query.py | 1 + 1 file changed, 1 insertion(+) (limited to 'django/db/models/sql/query.py') diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 9b44d017ff..5247616086 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -1696,6 +1696,7 @@ class Query(BaseExpression): return target_clause, needed_inner def add_filtered_relation(self, filtered_relation, alias): + self.check_alias(alias) filtered_relation.alias = alias relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( filtered_relation.relation_name -- cgit v1.3