summaryrefslogtreecommitdiff
path: root/django/db/models/sql/query.py
diff options
context:
space:
mode:
authorJake Howard <git@theorangeone.net>2025-08-13 14:13:42 +0200
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2025-09-03 13:15:55 +0200
commit4c044fcc866ec226f612c475950b690b0139d243 (patch)
treee123e7217282c000135f3d2a29c55b0f337e67b2 /django/db/models/sql/query.py
parente87ca3d6fa6fb12e06f9c755ecd3ebc3a528e02b (diff)
[5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
Diffstat (limited to 'django/db/models/sql/query.py')
-rw-r--r--django/db/models/sql/query.py1
1 files changed, 1 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 9b44d017ff..5247616086 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1696,6 +1696,7 @@ class Query(BaseExpression):
return target_clause, needed_inner
def add_filtered_relation(self, filtered_relation, alias):
+ self.check_alias(alias)
filtered_relation.alias = alias
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
filtered_relation.relation_name
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 02:12:42 +0000