[4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. - django.git

diff options

author	Jake Howard <git@theorangeone.net>	2026-01-21 11:14:48 +0000
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-02-03 08:25:58 -0500
commit	f75f8f3597e1ce351d5ac08b6ba7ebd9dadd9b5d (patch)
tree	66d10b9f7d41e416559b74d9b59f83d787b6cbcb /django/db/models/sql/datastructures.py
parent	b40cfc6052ced26dcd8166a58ea6f841d0d2cac8 (diff)

[4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.

Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.

Diffstat (limited to 'django/db/models/sql/datastructures.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: