summaryrefslogtreecommitdiff
path: root/django/db/models/sql/query.py
diff options
context:
space:
mode:
authorJacob Walls <jacobtylerwalls@gmail.com>2026-01-21 18:00:13 -0500
committerJacob Walls <jacobtylerwalls@gmail.com>2026-02-03 07:56:04 -0500
commit005d60d97c4dfb117503bdb6f2facfcaf9315d84 (patch)
tree0731ff63a878625da04fa96e90da8ee32ed43f89 /django/db/models/sql/query.py
parent69065ca869b0970dff8fdd8fafb390bf8b3bf222 (diff)
Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods.
This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795.
Diffstat (limited to 'django/db/models/sql/query.py')
-rw-r--r--django/db/models/sql/query.py5
1 files changed, 5 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index c6f080dcbb..7a4cf843c1 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1720,6 +1720,11 @@ class Query(BaseExpression):
return target_clause, needed_inner
def add_filtered_relation(self, filtered_relation, alias):
+ if "." in alias:
+ raise ValueError(
+ "FilteredRelation doesn't support aliases with periods "
+ "(got %r)." % alias
+ )
self.check_alias(alias)
filtered_relation.alias = alias
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 03:20:06 +0000