diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2025-09-24 15:54:51 -0400 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-11-05 09:29:44 -0300 |
| commit | 06dd38324ac3d60d83d9f3adabf0dcdf423d2a85 (patch) | |
| tree | 44dfc7b5072cdc2d9bc1e5a07ab2a0a56f2abaaf /django | |
| parent | 6e13348436fccf8f22982921d6a3a3e65c956a9f (diff) | |
[6.0.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg.
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.
Backport of 98e642c69181c942d60a10ca0085d48c6b3068bb from main.
Diffstat (limited to 'django')
| -rw-r--r-- | django/db/models/query_utils.py | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py index c383b80640..c1baf5c436 100644 --- a/django/db/models/query_utils.py +++ b/django/db/models/query_utils.py @@ -48,8 +48,12 @@ class Q(tree.Node): XOR = "XOR" default = AND conditional = True + connectors = (None, AND, OR, XOR) def __init__(self, *args, _connector=None, _negated=False, **kwargs): + if _connector not in self.connectors: + connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:]) + raise ValueError(f"_connector must be one of {connector_reprs}, or None.") super().__init__( children=[*args, *sorted(kwargs.items())], connector=_connector, |