Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.

Thanks Eyal (eyalgabay) for the report.
author: Simon Charette <charette.s@gmail.com> 2024-07-25 12:19:13 -0400
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-08-06 08:50:08 +0200
commit: c87bfaacf8fb84984243b5055dc70f97996cb115 (patch)
tree: ab5d519d769fa346059db9d49dcaa2b2f2b4c22c /django/db/models/sql
parent: 5f1757142febd95994caa1c0f64c1a0c161982c3 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 09916277bc..c1e2fc1d4f 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -2461,6 +2461,8 @@ class Query(BaseExpression):
 
         selected = {}
         if fields:
+            for field in fields:
+                self.check_alias(field)
             field_names = []
             extra_names = []
             annotation_names = []
author	Simon Charette <charette.s@gmail.com>	2024-07-25 12:19:13 -0400
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2024-08-06 08:50:08 +0200
commit	c87bfaacf8fb84984243b5055dc70f97996cb115 (patch)
tree	ab5d519d769fa346059db9d49dcaa2b2f2b4c22c /django/db/models/sql
parent	5f1757142febd95994caa1c0f64c1a0c161982c3 (diff)