From f4af67b9b41e0f4c117a8741da3abbd1c869ab28 Mon Sep 17 00:00:00 2001
From: Simon Charette <charette.s@gmail.com>
Date: Thu, 25 Jul 2024 18:19:13 +0200
Subject: [4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL
 injection attacks against JSON fields.

Thanks Eyal (eyalgabay) for the report.
---
 django/db/models/sql/query.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'django/db/models/sql/query.py')

diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index f98c6c668b..e68fd9efb7 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -2415,6 +2415,8 @@ class Query(BaseExpression):
         self.has_select_fields = True
 
         if fields:
+            for field in fields:
+                self.check_alias(field)
             field_names = []
             extra_names = []
             annotation_names = []
-- 
cgit v1.3