MIRRORS/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-01-27 12:01:38 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
2e331249b2
meta-openembedded/meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch
Haixiao Yan 0d50915759 python3-django: fix CVE-2025-64459 
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the
class Q() were subject to SQL injection when using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

Upstream-patch:
98e642c691

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2025-12-18 09:10:52 +01:00

61 lines
2.2 KiB
Diff
Raw Blame History

From b8db807fc4a287d80e37e0786bf054db8016721d Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 24 Sep 2025 15:54:51 -0400
Subject: [PATCH] Fixed CVE-2025-64459 -- Prevented SQL injections in
Q/QuerySet via the _connector kwarg.
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.
CVE: CVE-2025-64459
Upstream-Status: Backport [https://github.com/django/django/commit/98e642c]
Remove XOR, which was introduced in v4.1, and omit this operator from this version.
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
django/db/models/query_utils.py | 10 +++++++++-
tests/queries/test_q.py | 6 ++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
index f6bc0bd030de..eb62df83dac7 100644
--- a/django/db/models/query_utils.py
+++ b/django/db/models/query_utils.py
@@ -54,9 +54,17 @@ class Q(tree.Node):
OR = 'OR'
default = AND
conditional = True
+ connectors = (None, AND, OR)
def __init__(self, *args, _connector=None, _negated=False, **kwargs):
- super().__init__(children=[*args, *sorted(kwargs.items())], connector=_connector, negated=_negated)
+ if _connector not in self.connectors:
+ connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
+ raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
+ super().__init__(
+ children=[*args, *sorted(kwargs.items())],
+ connector=_connector,
+ negated=_negated,
+ )
def _combine(self, other, conn):
if not isinstance(other, Q):
diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
index 9adff07ef2f3..765715961bf3 100644
--- a/tests/queries/test_q.py
+++ b/tests/queries/test_q.py
@@ -103,3 +103,9 @@ class QTests(SimpleTestCase):
q = q1 & q2
path, args, kwargs = q.deconstruct()
self.assertEqual(Q(*args, **kwargs), q)
+
+ def test_connector_validation(self):
+ msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, or None."
+ with self.assertRaisesMessage(ValueError, msg):
+ Q(_connector="evil")
+
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink