[4.2.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods.

This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-01-21 18:00:13 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-02-03 08:26:51 -0500
commit: 881ff2c4830f95fa844d8de5977c06205d45368f (patch)
tree: cec19d0f451fa7ec643338d8f99cc4f7ddde19a8 /django/db/models/sql
parent: 90f5b10784ba5bf369caed87640e2b4394ea3314 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index a0d2d028cd..59b40ebfc9 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1622,6 +1622,11 @@ class Query(BaseExpression):
         return target_clause
 
     def add_filtered_relation(self, filtered_relation, alias):
+        if "." in alias:
+            raise ValueError(
+                "FilteredRelation doesn't support aliases with periods "
+                "(got %r)." % alias
+            )
         self.check_alias(alias)
         filtered_relation.alias = alias
         lookups = dict(get_children_from_q(filtered_relation.condition))
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-01-21 18:00:13 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-02-03 08:26:51 -0500
commit	881ff2c4830f95fa844d8de5977c06205d45368f (patch)
tree	cec19d0f451fa7ec643338d8f99cc4f7ddde19a8 /django/db/models/sql
parent	90f5b10784ba5bf369caed87640e2b4394ea3314 (diff)