diff options
| author | Jake Howard <git@theorangeone.net> | 2026-01-21 11:14:48 +0000 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-02-03 08:25:58 -0500 |
| commit | f75f8f3597e1ce351d5ac08b6ba7ebd9dadd9b5d (patch) | |
| tree | 66d10b9f7d41e416559b74d9b59f83d787b6cbcb /django/db/models/sql | |
| parent | b40cfc6052ced26dcd8166a58ea6f841d0d2cac8 (diff) | |
[4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
Diffstat (limited to 'django/db/models/sql')
| -rw-r--r-- | django/db/models/sql/query.py | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 3b8071eab4..a0d2d028cd 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -46,9 +46,11 @@ from django.utils.tree import Node __all__ = ["Query", "RawQuery"] -# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline -# SQL comments are forbidden in column aliases. -FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/") +# Quotation marks ('"`[]), whitespace characters, control characters, +# semicolons, hashes, or inline SQL comments are forbidden in column aliases. +FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile( + r"['`\"\]\[;\s\x00-\x1F\x7F-\x9F]|#|--|/\*|\*/" +) # Inspired from # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS @@ -1124,7 +1126,7 @@ class Query(BaseExpression): if FORBIDDEN_ALIAS_PATTERN.search(alias): raise ValueError( "Column aliases cannot contain whitespace characters, hashes, " - "quotation marks, semicolons, or SQL comments." + "control characters, quotation marks, semicolons, or SQL comments." ) def add_annotation(self, annotation, alias, select=True): |