helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-19 15:56:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
meta-openembedded/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch
Haixiao Yan 151e634ed2 python3-django: fix CVE-2025-64459 
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the
class Q() were subject to SQL injection when using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

Upstream-patch:
72d2c87431
4624ed769c

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-15 14:10:33 +05:30

58 lines
2.1 KiB
Diff
Raw Blame History

From 45f5d17986f70f0aaf4a666b2d71ae6750beeb88 Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 24 Sep 2025 15:54:51 -0400
Subject: [PATCH] [5.1.x] Fixed CVE-2025-64459 -- Prevented SQL injections
in Q/QuerySet via the _connector kwarg.
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
CVE: CVE-2025-64459
Upstream-Status: Backport [https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241]
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
django/db/models/query_utils.py | 4 ++++
tests/queries/test_q.py | 5 +++++
2 files changed, 9 insertions(+)
diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
index a04bbad5e7f8..d8610bc54d46 100644
--- a/django/db/models/query_utils.py
+++ b/django/db/models/query_utils.py
@@ -47,8 +47,12 @@ class Q(tree.Node):
XOR = "XOR"
default = AND
conditional = True
+ connectors = (None, AND, OR, XOR)
def __init__(self, *args, _connector=None, _negated=False, **kwargs):
+ if _connector not in self.connectors:
+ connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
+ raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
super().__init__(
children=[*args, *sorted(kwargs.items())],
connector=_connector,
diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
index f7192a430a12..b21ec929a2ec 100644
--- a/tests/queries/test_q.py
+++ b/tests/queries/test_q.py
@@ -264,6 +264,11 @@ class QTests(SimpleTestCase):
Q(*items, _connector=connector),
)
+ def test_connector_validation(self):
+ msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None."
+ with self.assertRaisesMessage(ValueError, msg):
+ Q(_connector="evil")
+
def test_referenced_base_fields(self):
# Make sure Q.referenced_base_fields retrieves all base fields from
# both filters and F expressions.
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink