[5.2.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg.

Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-09-24 15:54:51 -0400
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-11-05 09:33:15 -0300
commit: 6703f364d767e949c5b0e4016433ef75063b4f9b (patch)
tree: 361d096595aec087af9e80a8a396ae50a2d97922 /tests
parent: 4f5d904b63751dea9ffc3b0e046404a7fa5881ac (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
index 1a62aca061..52200b2ecf 100644
--- a/tests/queries/test_q.py
+++ b/tests/queries/test_q.py
@@ -272,6 +272,11 @@ class QTests(SimpleTestCase):
                     Q(*items, _connector=connector),
                 )
 
+    def test_connector_validation(self):
+        msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None."
+        with self.assertRaisesMessage(ValueError, msg):
+            Q(_connector="evil")
+
     def test_referenced_base_fields(self):
         # Make sure Q.referenced_base_fields retrieves all base fields from
         # both filters and F expressions.
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-09-24 15:54:51 -0400
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-11-05 09:33:15 -0300
commit	6703f364d767e949c5b0e4016433ef75063b4f9b (patch)
tree	361d096595aec087af9e80a8a396ae50a2d97922 /tests
parent	4f5d904b63751dea9ffc3b0e046404a7fa5881ac (diff)