[4.2.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases with periods.

Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews. Backport of 69065ca869 from main.
2026-02-09 02:49:25 +08:00 · 2026-01-21 17:53:52 -05:00
parent f75f8f3597
commit 90f5b10784
3 changed files with 36 additions and 1 deletions
--- a/django/db/models/sql/compiler.py
+++ b/django/db/models/sql/compiler.py
@@ -402,7 +402,7 @@ class SQLCompiler:
                yield OrderBy(expr, descending=descending), False
                continue

-            if "." in field:
+            if "." in field and field in self.query.extra_order_by:
                # This came in through an extra(order_by=...) addition. Pass it
                # on verbatim.
                table, col = col.split(".", 1)
--- a/docs/releases/4.2.28.txt
+++ b/docs/releases/4.2.28.txt
@@ -70,3 +70,13 @@ expansion, as the ``**kwargs`` passed to :meth:`.QuerySet.annotate`,

 This issue has severity "high" according to the :ref:`Django security policy
 <security-disclosure>`.
+
+CVE-2026-1312: Potential SQL injection via ``QuerySet.order_by`` and ``FilteredRelation``
+=========================================================================================
+
+:meth:`.QuerySet.order_by` was subject to SQL injection in column aliases
+containing periods when the same alias was, using a suitably crafted
+dictionary, with dictionary expansion, used in :class:`.FilteredRelation`.
+
+This issue has severity "high" according to the :ref:`Django security policy
+<security-disclosure>`.
--- a/tests/ordering/tests.py
+++ b/tests/ordering/tests.py
@@ -7,6 +7,7 @@ from django.db.models import (
    Count,
    DateTimeField,
    F,
+    FilteredRelation,
    Max,
    OrderBy,
    OuterRef,
@@ -14,6 +15,7 @@ from django.db.models import (
    Value,
 )
 from django.db.models.functions import Length, Upper
+from django.db.utils import DatabaseError
 from django.test import TestCase

 from .models import (
@@ -392,6 +394,29 @@ class OrderingTests(TestCase):
            attrgetter("headline"),
        )

+    def test_alias_with_period_shadows_table_name(self):
+        """
+        Aliases with periods are not confused for table names from extra().
+        """
+        Article.objects.update(author=self.author_2)
+        Article.objects.create(
+            headline="Backdated", pub_date=datetime(1900, 1, 1), author=self.author_1
+        )
+        crafted = "ordering_article.pub_date"
+
+        qs = Article.objects.annotate(**{crafted: F("author")}).order_by("-" + crafted)
+        self.assertNotEqual(qs[0].headline, "Backdated")
+
+        relation = FilteredRelation("author")
+        qs2 = Article.objects.annotate(**{crafted: relation}).order_by(crafted)
+        with self.assertRaises(DatabaseError):
+            # Before, unlike F(), which causes ordering expressions to be
+            # replaced by ordinals like n in ORDER BY n, these were ordered by
+            # pub_date instead of author.
+            # The Article model orders by -pk, so sorting on author will place
+            # first any article by author2 instead of the backdated one.
+            self.assertNotEqual(qs2[0].headline, "Backdated")
+
    def test_order_by_pk(self):
        """
        'pk' works as an ordering option in Meta.