diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2025-09-24 15:54:51 -0400 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-11-05 09:53:18 -0300 |
| commit | 59ae82e67053d281ff4562a24bbba21299f0a7d4 (patch) | |
| tree | 88d61922dfc7eb686bbdbd91aee26e466e601c0c | |
| parent | 770eea38d7a0e9ba9455140b5a9a9e33618226a7 (diff) | |
[4.2.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg.
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
| -rw-r--r-- | django/db/models/query_utils.py | 4 | ||||
| -rw-r--r-- | docs/releases/4.2.26.txt | 7 | ||||
| -rw-r--r-- | tests/queries/test_q.py | 5 |
3 files changed, 16 insertions, 0 deletions
diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py index 5c5644cfb3..a85a682e52 100644 --- a/django/db/models/query_utils.py +++ b/django/db/models/query_utils.py @@ -44,8 +44,12 @@ class Q(tree.Node): XOR = "XOR" default = AND conditional = True + connectors = (None, AND, OR, XOR) def __init__(self, *args, _connector=None, _negated=False, **kwargs): + if _connector not in self.connectors: + connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:]) + raise ValueError(f"_connector must be one of {connector_reprs}, or None.") super().__init__( children=[*args, *sorted(kwargs.items())], connector=_connector, diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt index ae274c3361..20cf48f05c 100644 --- a/docs/releases/4.2.26.txt +++ b/docs/releases/4.2.26.txt @@ -16,3 +16,10 @@ Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`, :func:`redirect() <django.shortcuts.redirect>` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters (follow up to :cve:`2025-27556`). + +CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument +=========================================================================== + +:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`, +and :class:`~.Q` were subject to SQL injection using a suitably crafted +dictionary, with dictionary expansion, as the ``_connector`` argument. diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py index cdf40292b0..5f20a41768 100644 --- a/tests/queries/test_q.py +++ b/tests/queries/test_q.py @@ -225,6 +225,11 @@ class QTests(SimpleTestCase): Q(*items, _connector=connector), ) + def test_connector_validation(self): + msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None." + with self.assertRaisesMessage(ValueError, msg): + Q(_connector="evil") + class QCheckTests(TestCase): def test_basic(self): |