From 881ff2c4830f95fa844d8de5977c06205d45368f Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 21 Jan 2026 18:00:13 -0500
Subject: [4.2.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation
 aliases contain periods.

This prevents failures at the database layer, given that aliases in the
ON clause are not quoted.

Systematically quoting aliases even in FilteredRelation is tracked in
https://code.djangoproject.com/ticket/36795.

Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.
---
 django/db/models/sql/query.py | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'django/db/models/sql/query.py')

diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index a0d2d028cd..59b40ebfc9 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1622,6 +1622,11 @@ class Query(BaseExpression):
         return target_clause
 
     def add_filtered_relation(self, filtered_relation, alias):
+        if "." in alias:
+            raise ValueError(
+                "FilteredRelation doesn't support aliases with periods "
+                "(got %r)." % alias
+            )
         self.check_alias(alias)
         filtered_relation.alias = alias
         lookups = dict(get_children_from_q(filtered_relation.condition))
-- 
cgit v1.3