File CVE-2026-1312-followup.patch of Package python-Django.19338
From fe53bf3314f943f73007d7c62be8507bf1c86fbb Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 21 Jan 2026 18:00:13 -0500
Subject: [PATCH 7/7] [4.2.x] Refs CVE-2026-1312 -- Raised ValueError when
FilteredRelation aliases contain periods.
This prevents failures at the database layer, given that aliases in the
ON clause are not quoted.
Systematically quoting aliases even in FilteredRelation is tracked in
https://code.djangoproject.com/ticket/36795.
Backport of 499357decf8072148dc726c34fce621ba066718c from main.
---
django/db/models/sql/query.py | 5 +++++
tests/filtered_relation/tests.py | 13 +++++++++++++
tests/ordering/tests.py | 11 ++++++++---
3 files changed, 26 insertions(+), 3 deletions(-)
Index: Django-2.2.28/django/db/models/sql/query.py
===================================================================
--- Django-2.2.28.orig/django/db/models/sql/query.py
+++ Django-2.2.28/django/db/models/sql/query.py
@@ -1371,6 +1371,11 @@ class Query:
return target_clause
def add_filtered_relation(self, filtered_relation, alias):
+ if "." in alias:
+ raise ValueError(
+ "FilteredRelation doesn't support aliases with periods "
+ "(got %r)." % alias
+ )
self.check_alias(alias)
filtered_relation.alias = alias
lookups = dict(get_children_from_q(filtered_relation.condition))
Index: Django-2.2.28/tests/filtered_relation/tests.py
===================================================================
--- Django-2.2.28.orig/tests/filtered_relation/tests.py
+++ Django-2.2.28/tests/filtered_relation/tests.py
@@ -124,6 +124,19 @@ class FilteredRelationTests(TestCase):
).filter(book_editor_a__isnull=False),
[self.author1]
)
+
+ def test_period_forbidden(self):
+ msg = (
+ "FilteredRelation doesn't support aliases with periods (got 'book.alice')."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Author.objects.annotate(
+ **{
+ "book.alice": FilteredRelation(
+ "book", condition=Q(book__title__iexact="poem by alice")
+ )
+ }
+ )
def test_multiple_times(self):
self.assertSequenceEqual(
Index: Django-2.2.28/tests/ordering/tests.py
===================================================================
--- Django-2.2.28.orig/tests/ordering/tests.py
+++ Django-2.2.28/tests/ordering/tests.py
@@ -3,7 +3,6 @@ from operator import attrgetter
from django.db.models import Count, DateTimeField, F, FilteredRelation, Max, OuterRef, Subquery
from django.db.models.functions import Upper
-from django.db.utils import DatabaseError
from django.test import TestCase
from django.utils.deprecation import RemovedInDjango31Warning
@@ -301,13 +300,19 @@ class OrderingTests(TestCase):
self.assertNotEqual(qs[0].headline, "Backdated")
relation = FilteredRelation("author")
- qs2 = Article.objects.annotate(**{crafted: relation}).order_by(crafted)
- with self.assertRaises(DatabaseError):
+ msg = (
+ "FilteredRelation doesn't support aliases with periods "
+ "(got 'ordering_article.pub_date')."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ qs2 = Article.objects.annotate(**{crafted: relation}).order_by(crafted)
# Before, unlike F(), which causes ordering expressions to be
# replaced by ordinals like n in ORDER BY n, these were ordered by
# pub_date instead of author.
# The Article model orders by -pk, so sorting on author will place
# first any article by author2 instead of the backdated one.
+ # This assertion is reachable if FilteredRelation.__init__() starts
+ # supporting periods in aliases in the future.
self.assertNotEqual(qs2[0].headline, "Backdated")
def test_order_by_pk(self):
