summaryrefslogtreecommitdiff
path: root/django/db/models/sql/query.py
diff options
context:
space:
mode:
authorJake Howard <git@theorangeone.net>2025-08-13 14:13:42 +0200
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2025-09-03 13:31:32 +0200
commit102965ea93072fe3c39a30be437c683ec1106ef5 (patch)
tree7c844dd4890c60a09f61193d91f8852432ede2bb /django/db/models/sql/query.py
parent44cd014a0ad35b3867595db1f3f4f1844308d581 (diff)
[5.1.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
Diffstat (limited to 'django/db/models/sql/query.py')
-rw-r--r--django/db/models/sql/query.py1
1 files changed, 1 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 293856d86f..332e4f2ac6 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1659,6 +1659,7 @@ class Query(BaseExpression):
return target_clause, needed_inner
def add_filtered_relation(self, filtered_relation, alias):
+ self.check_alias(alias)
filtered_relation.alias = alias
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
filtered_relation.relation_name
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 04:57:53 +0000