[4.2.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases contain periods.

This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-01-21 18:00:13 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-02-03 08:26:51 -0500
commit: 881ff2c4830f95fa844d8de5977c06205d45368f (patch)
tree: cec19d0f451fa7ec643338d8f99cc4f7ddde19a8 /tests/filtered_relation/tests.py
parent: 90f5b10784ba5bf369caed87640e2b4394ea3314 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/filtered_relation/tests.py b/tests/filtered_relation/tests.py
index 0fce8b092a..4847d1f04b 100644
--- a/tests/filtered_relation/tests.py
+++ b/tests/filtered_relation/tests.py
@@ -211,6 +211,19 @@ class FilteredRelationTests(TestCase):
             str(queryset.query),
         )
 
+    def test_period_forbidden(self):
+        msg = (
+            "FilteredRelation doesn't support aliases with periods (got 'book.alice')."
+        )
+        with self.assertRaisesMessage(ValueError, msg):
+            Author.objects.annotate(
+                **{
+                    "book.alice": FilteredRelation(
+                        "book", condition=Q(book__title__iexact="poem by alice")
+                    )
+                }
+            )
+
     def test_multiple(self):
         qs = (
             Author.objects.annotate(
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-01-21 18:00:13 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-02-03 08:26:51 -0500
commit	881ff2c4830f95fa844d8de5977c06205d45368f (patch)
tree	cec19d0f451fa7ec643338d8f99cc4f7ddde19a8 /tests/filtered_relation/tests.py
parent	90f5b10784ba5bf369caed87640e2b4394ea3314 (diff)