From 06dd38324ac3d60d83d9f3adabf0dcdf423d2a85 Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Wed, 24 Sep 2025 15:54:51 -0400 Subject: [6.0.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg. Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of 98e642c69181c942d60a10ca0085d48c6b3068bb from main. --- tests/queries/test_q.py | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'tests') diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py index 1a62aca061..52200b2ecf 100644 --- a/tests/queries/test_q.py +++ b/tests/queries/test_q.py @@ -272,6 +272,11 @@ class QTests(SimpleTestCase): Q(*items, _connector=connector), ) + def test_connector_validation(self): + msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None." + with self.assertRaisesMessage(ValueError, msg): + Q(_connector="evil") + def test_referenced_base_fields(self): # Make sure Q.referenced_base_fields retrieves all base fields from # both filters and F expressions. -- cgit v1.3