[6.0.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on dictionary expansion.

Backport of 3c3f46357718166069948625354b8315a8505262 from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-09-24 15:56:03 -0400
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-11-05 09:30:12 -0300
commit: a3f3a81f33815fce03b467df397b1ec7758c900c (patch)
tree: c231ddbab6f5bb5aabca15039cb5cd05b3d07ff8 /django/db
parent: 06dd38324ac3d60d83d9f3adabf0dcdf423d2a85 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/django/db/models/query.py b/django/db/models/query.py
index 7ff28b74e0..9c7d8d8a81 100644
--- a/django/db/models/query.py
+++ b/django/db/models/query.py
@@ -44,6 +44,8 @@ MAX_GET_RESULTS = 21
 # The maximum number of items to display in a QuerySet.__repr__
 REPR_OUTPUT_SIZE = 20
 
+PROHIBITED_FILTER_KWARGS = frozenset(["_connector", "_negated"])
+
 
 class BaseIterable:
     def __init__(
@@ -1559,6 +1561,9 @@ class QuerySet(AltersData):
         return clone
 
     def _filter_or_exclude_inplace(self, negate, args, kwargs):
+        if invalid_kwargs := PROHIBITED_FILTER_KWARGS.intersection(kwargs):
+            invalid_kwargs_str = ", ".join(f"'{k}'" for k in sorted(invalid_kwargs))
+            raise TypeError(f"The following kwargs are invalid: {invalid_kwargs_str}")
         if negate:
             self._query.add_q(~Q(*args, **kwargs))
         else:
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-09-24 15:56:03 -0400
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-11-05 09:30:12 -0300
commit	a3f3a81f33815fce03b467df397b1ec7758c900c (patch)
tree	c231ddbab6f5bb5aabca15039cb5cd05b3d07ff8 /django/db
parent	06dd38324ac3d60d83d9f3adabf0dcdf423d2a85 (diff)