From f75f8f3597e1ce351d5ac08b6ba7ebd9dadd9b5d Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 21 Jan 2026 11:14:48 +0000 Subject: [4.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main. --- django/db/models/sql/query.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'django/db/models/sql') diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 3b8071eab4..a0d2d028cd 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -46,9 +46,11 @@ from django.utils.tree import Node __all__ = ["Query", "RawQuery"] -# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline -# SQL comments are forbidden in column aliases. -FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/") +# Quotation marks ('"`[]), whitespace characters, control characters, +# semicolons, hashes, or inline SQL comments are forbidden in column aliases. +FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile( + r"['`\"\]\[;\s\x00-\x1F\x7F-\x9F]|#|--|/\*|\*/" +) # Inspired from # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS @@ -1124,7 +1126,7 @@ class Query(BaseExpression): if FORBIDDEN_ALIAS_PATTERN.search(alias): raise ValueError( "Column aliases cannot contain whitespace characters, hashes, " - "quotation marks, semicolons, or SQL comments." + "control characters, quotation marks, semicolons, or SQL comments." ) def add_annotation(self, annotation, alias, select=True): -- cgit v1.3