diff options
| author | Jake Howard <git@theorangeone.net> | 2026-01-21 11:14:48 +0000 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-02-03 08:25:58 -0500 |
| commit | f75f8f3597e1ce351d5ac08b6ba7ebd9dadd9b5d (patch) | |
| tree | 66d10b9f7d41e416559b74d9b59f83d787b6cbcb /docs/releases/4.2.28.txt | |
| parent | b40cfc6052ced26dcd8166a58ea6f841d0d2cac8 (diff) | |
[4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
Diffstat (limited to 'docs/releases/4.2.28.txt')
| -rw-r--r-- | docs/releases/4.2.28.txt | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/docs/releases/4.2.28.txt b/docs/releases/4.2.28.txt index 3c9529a4f8..fa6b1f19bd 100644 --- a/docs/releases/4.2.28.txt +++ b/docs/releases/4.2.28.txt @@ -55,3 +55,18 @@ denial-of-service attack via certain inputs with a large number of unmatched HTML end tags, which could cause quadratic time complexity during HTML parsing. This issue has severity "moderate" according to the Django security policy. +This issue has severity "moderate" according to the :ref:`Django security +policy <security-disclosure>`. + +CVE-2026-1287: Potential SQL injection in column aliases via control characters +=============================================================================== + +:class:`.FilteredRelation` was subject to SQL injection in column aliases via +control characters, using a suitably crafted dictionary, with dictionary +expansion, as the ``**kwargs`` passed to :meth:`.QuerySet.annotate`, +:meth:`~.QuerySet.aggregate`, :meth:`~.QuerySet.extra`, +:meth:`~.QuerySet.values`, :meth:`~.QuerySet.values_list`, and +:meth:`~.QuerySet.alias`. + +This issue has severity "high" according to the :ref:`Django security policy +<security-disclosure>`. |