From 005d60d97c4dfb117503bdb6f2facfcaf9315d84 Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Wed, 21 Jan 2026 18:00:13 -0500 Subject: Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods. This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. --- django/db/models/sql/query.py | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'django/db/models/sql') diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index c6f080dcbb..7a4cf843c1 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -1720,6 +1720,11 @@ class Query(BaseExpression): return target_clause, needed_inner def add_filtered_relation(self, filtered_relation, alias): + if "." in alias: + raise ValueError( + "FilteredRelation doesn't support aliases with periods " + "(got %r)." % alias + ) self.check_alias(alias) filtered_relation.alias = alias relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( -- cgit v1.3