[5.2.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods.

This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-01-21 18:00:13 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-02-03 08:19:02 -0500
commit: ab0ad8d39555292b55123adeac57ed64c776f8d9 (patch)
tree: 4739f7c8c6648dade16d991d5256c5fa8e4e442e /django
parent: e863ee273c6553e9b6fa4960a17acb535851857b (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index baeac3a05b..324e605b8e 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1698,6 +1698,11 @@ class Query(BaseExpression):
         return target_clause, needed_inner
 
     def add_filtered_relation(self, filtered_relation, alias):
+        if "." in alias:
+            raise ValueError(
+                "FilteredRelation doesn't support aliases with periods "
+                "(got %r)." % alias
+            )
         self.check_alias(alias)
         filtered_relation.alias = alias
         relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-01-21 18:00:13 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-02-03 08:19:02 -0500
commit	ab0ad8d39555292b55123adeac57ed64c776f8d9 (patch)
tree	4739f7c8c6648dade16d991d5256c5fa8e4e442e /django
parent	e863ee273c6553e9b6fa4960a17acb535851857b (diff)