[5.0.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.

Thanks Eyal (eyalgabay) for the report.
author: Simon Charette <charette.s@gmail.com> 2024-07-25 18:19:13 +0200
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-08-06 08:51:55 +0200
commit: 32ebcbf2e1fe3e5ba79a6554a167efce81f7422d (patch)
tree: ece61f70ea6a6c10ff44655f0dcb924a806bb628 /django/db/models/sql/query.py
parent: 523da8771bce321023f490f70d71a9e973ddc927 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 277e8a18ca..fe6baca607 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -2446,6 +2446,8 @@ class Query(BaseExpression):
         self.has_select_fields = True
 
         if fields:
+            for field in fields:
+                self.check_alias(field)
             field_names = []
             extra_names = []
             annotation_names = []
author	Simon Charette <charette.s@gmail.com>	2024-07-25 18:19:13 +0200
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2024-08-06 08:51:55 +0200
commit	32ebcbf2e1fe3e5ba79a6554a167efce81f7422d (patch)
tree	ece61f70ea6a6c10ff44655f0dcb924a806bb628 /django/db/models/sql/query.py
parent	523da8771bce321023f490f70d71a9e973ddc927 (diff)