[4.2.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on dictionary expansion.

Backport of 3c3f46357718166069948625354b8315a8505262 from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-09-24 15:56:03 -0400
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-11-05 09:53:33 -0300
commit: 279f8b9557f0fef9790822b0c38164fc9dfcab2a (patch)
tree: ed46e50c94c6beb173365879f012014088fd6fd2 /django
parent: 59ae82e67053d281ff4562a24bbba21299f0a7d4 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/django/db/models/query.py b/django/db/models/query.py
index 19c9ced23e..31718a3a3b 100644
--- a/django/db/models/query.py
+++ b/django/db/models/query.py
@@ -42,6 +42,8 @@ MAX_GET_RESULTS = 21
 # The maximum number of items to display in a QuerySet.__repr__
 REPR_OUTPUT_SIZE = 20
 
+PROHIBITED_FILTER_KWARGS = frozenset(["_connector", "_negated"])
+
 
 class BaseIterable:
     def __init__(
@@ -1455,6 +1457,9 @@ class QuerySet(AltersData):
         return clone
 
     def _filter_or_exclude_inplace(self, negate, args, kwargs):
+        if invalid_kwargs := PROHIBITED_FILTER_KWARGS.intersection(kwargs):
+            invalid_kwargs_str = ", ".join(f"'{k}'" for k in sorted(invalid_kwargs))
+            raise TypeError(f"The following kwargs are invalid: {invalid_kwargs_str}")
         if negate:
             self._query.add_q(~Q(*args, **kwargs))
         else:
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-09-24 15:56:03 -0400
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-11-05 09:53:33 -0300
commit	279f8b9557f0fef9790822b0c38164fc9dfcab2a (patch)
tree	ed46e50c94c6beb173365879f012014088fd6fd2 /django
parent	59ae82e67053d281ff4562a24bbba21299f0a7d4 (diff)