[6.0.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg.

Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of 98e642c69181c942d60a10ca0085d48c6b3068bb from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-09-24 15:54:51 -0400
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-11-05 09:29:44 -0300
commit: 06dd38324ac3d60d83d9f3adabf0dcdf423d2a85 (patch)
tree: 44dfc7b5072cdc2d9bc1e5a07ab2a0a56f2abaaf /tests
parent: 6e13348436fccf8f22982921d6a3a3e65c956a9f (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
index 1a62aca061..52200b2ecf 100644
--- a/tests/queries/test_q.py
+++ b/tests/queries/test_q.py
@@ -272,6 +272,11 @@ class QTests(SimpleTestCase):
                     Q(*items, _connector=connector),
                 )
 
+    def test_connector_validation(self):
+        msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None."
+        with self.assertRaisesMessage(ValueError, msg):
+            Q(_connector="evil")
+
     def test_referenced_base_fields(self):
         # Make sure Q.referenced_base_fields retrieves all base fields from
         # both filters and F expressions.
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-09-24 15:54:51 -0400
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-11-05 09:29:44 -0300
commit	06dd38324ac3d60d83d9f3adabf0dcdf423d2a85 (patch)
tree	44dfc7b5072cdc2d9bc1e5a07ab2a0a56f2abaaf /tests
parent	6e13348436fccf8f22982921d6a3a3e65c956a9f (diff)