diff options
| author | Jake Howard <git@theorangeone.net> | 2025-08-13 13:13:42 +0100 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-09-03 13:10:58 +0200 |
| commit | 51711717098d3f469f795dfa6bc3758b24f69ef7 (patch) | |
| tree | 2d977f1069bc7840eda4061a4f54367c4cc8fe98 /django/db/models/sql/query.py | |
| parent | d044e25dc2106b94ebdedf0bfde9238be1a3765c (diff) | |
Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report.
Diffstat (limited to 'django/db/models/sql/query.py')
| -rw-r--r-- | django/db/models/sql/query.py | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index e3186c4919..f332d83946 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -1720,6 +1720,7 @@ class Query(BaseExpression): return target_clause, needed_inner def add_filtered_relation(self, filtered_relation, alias): + self.check_alias(alias) filtered_relation.alias = alias relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( filtered_relation.relation_name |