[5.2.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg.

Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-09-24 15:54:51 -0400
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-11-05 09:33:15 -0300
commit: 6703f364d767e949c5b0e4016433ef75063b4f9b (patch)
tree: 361d096595aec087af9e80a8a396ae50a2d97922 /django
parent: 4f5d904b63751dea9ffc3b0e046404a7fa5881ac (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
index d219c5fb0e..9d237cdc77 100644
--- a/django/db/models/query_utils.py
+++ b/django/db/models/query_utils.py
@@ -48,8 +48,12 @@ class Q(tree.Node):
     XOR = "XOR"
     default = AND
     conditional = True
+    connectors = (None, AND, OR, XOR)
 
     def __init__(self, *args, _connector=None, _negated=False, **kwargs):
+        if _connector not in self.connectors:
+            connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
+            raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
         super().__init__(
             children=[*args, *sorted(kwargs.items())],
             connector=_connector,
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-09-24 15:54:51 -0400
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-11-05 09:33:15 -0300
commit	6703f364d767e949c5b0e4016433ef75063b4f9b (patch)
tree	361d096595aec087af9e80a8a396ae50a2d97922 /django
parent	4f5d904b63751dea9ffc3b0e046404a7fa5881ac (diff)