forked from pool/python-Django
68 lines
2.7 KiB
Diff
68 lines
2.7 KiB
Diff
From 479415ce5249bcdebeb6570c72df2a87f45a7bbf Mon Sep 17 00:00:00 2001
|
|
From: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
Date: Mon, 17 Nov 2025 17:09:54 -0500
|
|
Subject: [PATCH] [5.2.x] Fixed CVE-2025-13372 -- Protected FilteredRelation
|
|
against SQL injection in column aliases on PostgreSQL.
|
|
|
|
Follow-up to CVE-2025-57833.
|
|
|
|
Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak
|
|
for the reviews.
|
|
|
|
Backport of 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e from main.
|
|
---
|
|
django/db/backends/postgresql/compiler.py | 11 ++++++++++-
|
|
docs/releases/4.2.27.txt | 8 ++++++++
|
|
docs/releases/5.1.15.txt | 8 ++++++++
|
|
docs/releases/5.2.9.txt | 8 ++++++++
|
|
tests/annotations/tests.py | 11 +++++++++++
|
|
5 files changed, 45 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/django/db/backends/postgresql/compiler.py b/django/db/backends/postgresql/compiler.py
|
|
index dc2db148aed5..38b61c489838 100644
|
|
--- a/django/db/backends/postgresql/compiler.py
|
|
+++ b/django/db/backends/postgresql/compiler.py
|
|
@@ -1,6 +1,6 @@
|
|
from django.db.models.sql.compiler import (
|
|
SQLAggregateCompiler,
|
|
- SQLCompiler,
|
|
+ SQLCompiler as BaseSQLCompiler,
|
|
SQLDeleteCompiler,
|
|
)
|
|
from django.db.models.sql.compiler import SQLInsertCompiler as BaseSQLInsertCompiler
|
|
@@ -25,6 +25,15 @@ def __str__(self):
|
|
return "UNNEST(%s)" % ", ".join(self)
|
|
|
|
|
|
+class SQLCompiler(BaseSQLCompiler):
|
|
+ def quote_name_unless_alias(self, name):
|
|
+ if "$" in name:
|
|
+ raise ValueError(
|
|
+ "Dollar signs are not permitted in column aliases on PostgreSQL."
|
|
+ )
|
|
+ return super().quote_name_unless_alias(name)
|
|
+
|
|
+
|
|
class SQLInsertCompiler(BaseSQLInsertCompiler):
|
|
def assemble_as_sql(self, fields, value_rows):
|
|
# Specialize bulk-insertion of literal values through UNNEST to
|
|
diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
|
|
index 7a1212122427..78e5408d0fe7 100644
|
|
--- a/tests/annotations/tests.py
|
|
+++ b/tests/annotations/tests.py
|
|
@@ -1507,3 +1507,14 @@ def test_alias_filtered_relation_sql_injection(self):
|
|
)
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
|
|
+
|
|
+ def test_alias_filtered_relation_sql_injection_dollar_sign(self):
|
|
+ qs = Book.objects.alias(
|
|
+ **{"crafted_alia$": FilteredRelation("authors")}
|
|
+ ).values("name", "crafted_alia$")
|
|
+ if connection.vendor == "postgresql":
|
|
+ msg = "Dollar signs are not permitted in column aliases on PostgreSQL."
|
|
+ with self.assertRaisesMessage(ValueError, msg):
|
|
+ list(qs)
|
|
+ else:
|
|
+ self.assertEqual(qs.first()["name"], self.b1.name)
|