Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods.

This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-01-21 18:00:13 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-02-03 07:56:04 -0500
commit: 005d60d97c4dfb117503bdb6f2facfcaf9315d84 (patch)
tree: 0731ff63a878625da04fa96e90da8ee32ed43f89 /django/db/models/sql
parent: 69065ca869b0970dff8fdd8fafb390bf8b3bf222 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index c6f080dcbb..7a4cf843c1 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1720,6 +1720,11 @@ class Query(BaseExpression):
         return target_clause, needed_inner
 
     def add_filtered_relation(self, filtered_relation, alias):
+        if "." in alias:
+            raise ValueError(
+                "FilteredRelation doesn't support aliases with periods "
+                "(got %r)." % alias
+            )
         self.check_alias(alias)
         filtered_relation.alias = alias
         relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-01-21 18:00:13 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-02-03 07:56:04 -0500
commit	005d60d97c4dfb117503bdb6f2facfcaf9315d84 (patch)
tree	0731ff63a878625da04fa96e90da8ee32ed43f89 /django/db/models/sql
parent	69065ca869b0970dff8fdd8fafb390bf8b3bf222 (diff)