1 files changed, 24 insertions, 12 deletions

diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
index 080ee06183..afd8a51159 100644
--- a/tests/expressions/test_queryset_values.py
+++ b/tests/expressions/test_queryset_values.py
@@ -1,3 +1,5 @@
+from itertools import chain
+
 from django.db.models import F, Sum
 from django.test import TestCase, skipUnlessDBFeature
 
@@ -35,26 +37,36 @@ class ValuesExpressionsTests(TestCase):
         )
 
     def test_values_expression_alias_sql_injection(self):
-        crafted_alias = """injected_name" from "expressions_company"; --"""
         msg = (
-            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "marks, semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, "
+            "control characters, quotation marks, semicolons, or SQL comments."
         )
-        with self.assertRaisesMessage(ValueError, msg):
-            Company.objects.values(**{crafted_alias: F("ceo__salary")})
+        for crafted_alias in [
+            """injected_name" from "expressions_company"; --""",
+            # Control characters.
+            *(f"name{chr(c)}" for c in chain(range(32), range(0x7F, 0xA0))),
+        ]:
+            with self.subTest(crafted_alias):
+                with self.assertRaisesMessage(ValueError, msg):
+                    Company.objects.values(**{crafted_alias: F("ceo__salary")})
 
     @skipUnlessDBFeature("supports_json_field")
     def test_values_expression_alias_sql_injection_json_field(self):
-        crafted_alias = """injected_name" from "expressions_company"; --"""
         msg = (
-            "Column aliases cannot contain whitespace characters, hashes, quotation "
-            "marks, semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, "
+            "control characters, quotation marks, semicolons, or SQL comments."
         )
-        with self.assertRaisesMessage(ValueError, msg):
-            JSONFieldModel.objects.values(f"data__{crafted_alias}")
+        for crafted_alias in [
+            """injected_name" from "expressions_company"; --""",
+            # Control characters.
+            *(chr(c) for c in chain(range(32), range(0x7F, 0xA0))),
+        ]:
+            with self.subTest(crafted_alias):
+                with self.assertRaisesMessage(ValueError, msg):
+                    JSONFieldModel.objects.values(f"data__{crafted_alias}")
 
-        with self.assertRaisesMessage(ValueError, msg):
-            JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
+                with self.assertRaisesMessage(ValueError, msg):
+                    JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
 
     def test_values_expression_group_by(self):
         # values() applies annotate() first, so values selected are grouped by