[4.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.

Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2025-09-10 09:53:52 +0200
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-10-01 09:05:20 -0400
commit: 38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5 (patch)
tree: 8647674b2efff2057825ef33b5a0b1901cfbdef0 /tests/aggregation
parent: 7c7d2a4a1056412bac063474f583b44b9a109e8d (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py
index 48266d9774..277c0507f7 100644
--- a/tests/aggregation/tests.py
+++ b/tests/aggregation/tests.py
@@ -2090,8 +2090,8 @@ class AggregateTestCase(TestCase):
     def test_alias_sql_injection(self):
         crafted_alias = """injected_name" from "aggregation_author"; --"""
         msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
         )
         with self.assertRaisesMessage(ValueError, msg):
             Author.objects.aggregate(**{crafted_alias: Avg("age")})
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2025-09-10 09:53:52 +0200
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-10-01 09:05:20 -0400
commit	38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5 (patch)
tree	8647674b2efff2057825ef33b5a0b1901cfbdef0 /tests/aggregation
parent	7c7d2a4a1056412bac063474f583b44b9a109e8d (diff)