[5.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. - django.git

diff options

author	Jake Howard <git@theorangeone.net>	2026-01-21 11:14:48 +0000
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-02-03 08:17:34 -0500
commit	3e68ccdc11c127758745ddf0b4954990b14892bc (patch)
tree	54f85a8b032fcbe204aaa114d6df9503a72db97b /django/db/models/sql/datastructures.py
parent	9f2ada875bbee62ac46032e38ddb22755d67ae5a (diff)

[5.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.

Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.

Diffstat (limited to 'django/db/models/sql/datastructures.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: