| | 62 | |
| | 63 | Kind regards, the Django Security Team. |
| | 64 | |
| | 65 | === Special characters in user-controlled aliases === |
| | 66 | |
| | 67 | After review, we've determined we cannot confirm a security vulnerability from the provided information. |
| | 68 | |
| | 69 | In some circumstances in versions of Django before 6.1, the names of database objects are not quoted. If users can supply the names of these database objects, e.g. via an annotation employing `FilteredRelation`, then this situation may need to be analyzed for a security impact. Django uses a regular expression (`FORBIDDEN_ALIAS_PATTERN`) to reject dangerous characters. To propose additions to this regex, the Security Team needs to see an exploit that alters a query and successfully executes, instead of crashing on the database or in the ORM layer. |
| | 70 | |
| | 71 | Please resubmit if you can supply such a proof of concept. |