[6.0.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. - django.git

diff options

author	Jake Howard <git@theorangeone.net>	2026-01-21 11:14:48 +0000
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-02-03 08:03:39 -0500
commit	0c0f5c2178c01ada5410cd53b4b207bf7858b952 (patch)
tree	835593f167090d10c90e03c0c576246c40967135 /django/db/models/sql/constants.py
parent	4b86ba51e486530db982341a23e53c7a1e1e6e71 (diff)

[6.0.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.

Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.

Diffstat (limited to 'django/db/models/sql/constants.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: