[5.2.x] Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL injection in column aliases on PostgreSQL.

Follow-up to CVE-2025-57833.

Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak
for the reviews.

Backport of 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e from main.

1 files changed, 10 insertions, 1 deletions

diff --git a/django/db/backends/postgresql/compiler.py b/django/db/backends/postgresql/compiler.py
index dc2db148ae..38b61c4898 100644
--- a/django/db/backends/postgresql/compiler.py
+++ b/django/db/backends/postgresql/compiler.py
@@ -1,6 +1,6 @@
 from django.db.models.sql.compiler import (
     SQLAggregateCompiler,
-    SQLCompiler,
+    SQLCompiler as BaseSQLCompiler,
     SQLDeleteCompiler,
 )
 from django.db.models.sql.compiler import SQLInsertCompiler as BaseSQLInsertCompiler
@@ -25,6 +25,15 @@ class InsertUnnest(list):
         return "UNNEST(%s)" % ", ".join(self)
 
 
+class SQLCompiler(BaseSQLCompiler):
+    def quote_name_unless_alias(self, name):
+        if "$" in name:
+            raise ValueError(
+                "Dollar signs are not permitted in column aliases on PostgreSQL."
+            )
+        return super().quote_name_unless_alias(name)
+
+
 class SQLInsertCompiler(BaseSQLInsertCompiler):
     def assemble_as_sql(self, fields, value_rows):
         # Specialize bulk-insertion of literal values through UNNEST to