diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2025-09-10 09:53:52 +0200 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2025-10-01 08:17:15 -0400 |
| commit | 4ceaaee7e04b416fc465e838a6ef43ca0ccffafe (patch) | |
| tree | 8e22224e519d210f988927cfc4ecac938edb1606 /django/db/models/sql/query.py | |
| parent | ee0610673b7ab40f2a62a1879307c3ff16540b81 (diff) | |
[6.0.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
Diffstat (limited to 'django/db/models/sql/query.py')
| -rw-r--r-- | django/db/models/sql/query.py | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index f332d83946..1138a85ffb 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -52,12 +52,12 @@ from django.utils.tree import Node __all__ = ["Query", "RawQuery"] # RemovedInDjango70Warning: When the deprecation ends, replace with: -# Quotation marks ('"`[]), whitespace characters, semicolons, percent signs -# or inline SQL comments are forbidden in column aliases. -# FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|%|--|/\*|\*/") -# Quotation marks ('"`[]), whitespace characters, semicolons, or inline +# Quotation marks ('"`[]), whitespace characters, semicolons, percent signs, +# hashes, or inline SQL comments are forbidden in column aliases. +# FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|%|#|--|/\*|\*/") +# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline # SQL comments are forbidden in column aliases. -FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/") +FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/") # Inspired from # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS @@ -1228,11 +1228,12 @@ class Query(BaseExpression): ) if FORBIDDEN_ALIAS_PATTERN.search(alias): raise ValueError( - "Column aliases cannot contain whitespace characters, quotation marks, " + "Column aliases cannot contain whitespace characters, hashes, " # RemovedInDjango70Warning: When the deprecation ends, replace # with: - # "semicolons, percent signs, or SQL comments." - "semicolons, or SQL comments." + # "quotation marks, semicolons, percent signs, or SQL " + # "comments." + "quotation marks, semicolons, or SQL comments." ) def add_annotation(self, annotation, alias, select=True): |