From 01d2d770e22bffe53c7f1e611e2bbca94cb8a2e7 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Wed, 10 Sep 2025 09:53:52 +0200 Subject: [5.1.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. --- tests/aggregation/tests.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tests/aggregation') diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py index a5914f1878..0ebd5be758 100644 --- a/tests/aggregation/tests.py +++ b/tests/aggregation/tests.py @@ -2133,8 +2133,8 @@ class AggregateTestCase(TestCase): def test_alias_sql_injection(self): crafted_alias = """injected_name" from "aggregation_author"; --""" msg = ( - "Column aliases cannot contain whitespace characters, quotation marks, " - "semicolons, or SQL comments." + "Column aliases cannot contain whitespace characters, hashes, quotation " + "marks, semicolons, or SQL comments." ) with self.assertRaisesMessage(ValueError, msg): Author.objects.aggregate(**{crafted_alias: Avg("age")}) -- cgit v1.3