[4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.

Thanks Eyal (eyalgabay) for the report.
author: Simon Charette <charette.s@gmail.com> 2024-07-25 18:19:13 +0200
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-07-31 16:12:35 +0200
commit: f4af67b9b41e0f4c117a8741da3abbd1c869ab28 (patch)
tree: 7c1dafe68ebba7fe818f1512e85d404bb73072f9 /django/db/models/sql/query.py
parent: efea1ef7e2190e3f77ca0651b5458297bc0f6a9f (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index f98c6c668b..e68fd9efb7 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -2415,6 +2415,8 @@ class Query(BaseExpression):
         self.has_select_fields = True
 
         if fields:
+            for field in fields:
+                self.check_alias(field)
             field_names = []
             extra_names = []
             annotation_names = []
author	Simon Charette <charette.s@gmail.com>	2024-07-25 18:19:13 +0200
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2024-07-31 16:12:35 +0200
commit	f4af67b9b41e0f4c117a8741da3abbd1c869ab28 (patch)
tree	7c1dafe68ebba7fe818f1512e85d404bb73072f9 /django/db/models/sql/query.py
parent	efea1ef7e2190e3f77ca0651b5458297bc0f6a9f (diff)