python3-django: fix CVE-2025-64459

The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64459 https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html Upstream-patch: https://github.com/django/django/commit/98e642c69181c942d60a10ca0085d48c6b3068bb Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-06-13 17:39:57 +00:00 · 2025-12-18 10:43:31 +08:00
parent 8611f92c20
commit 0d50915759
2 changed files with 61 additions and 0 deletions
@@ -0,0 +1,60 @@
+From b8db807fc4a287d80e37e0786bf054db8016721d Mon Sep 17 00:00:00 2001
+From: Jacob Walls <jacobtylerwalls@gmail.com>
+Date: Wed, 24 Sep 2025 15:54:51 -0400
+Subject: [PATCH] Fixed CVE-2025-64459 -- Prevented SQL injections in
+ Q/QuerySet via the _connector kwarg.
+
+Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
+Charette, and Jake Howard for the reviews.
+
+CVE: CVE-2025-64459
+
+Upstream-Status: Backport [https://github.com/django/django/commit/98e642c]
+Remove XOR, which was introduced in v4.1, and omit this operator from this version.
+
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ django/db/models/query_utils.py | 10 +++++++++-
+ tests/queries/test_q.py         |  6 ++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
+index f6bc0bd030de..eb62df83dac7 100644
+--- a/django/db/models/query_utils.py
+++ b/django/db/models/query_utils.py
+@@ -54,9 +54,17 @@ class Q(tree.Node):
+     OR = 'OR'
+     default = AND
+     conditional = True
+    connectors = (None, AND, OR)
+ 
+     def __init__(self, *args, _connector=None, _negated=False, **kwargs):
+-        super().__init__(children=[*args, *sorted(kwargs.items())], connector=_connector, negated=_negated)
+        if _connector not in self.connectors:
+            connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
+            raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
+        super().__init__(
+            children=[*args, *sorted(kwargs.items())],
+            connector=_connector,
+            negated=_negated,
+        )
+ 
+     def _combine(self, other, conn):
+         if not isinstance(other, Q):
+diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
+index 9adff07ef2f3..765715961bf3 100644
+--- a/tests/queries/test_q.py
+++ b/tests/queries/test_q.py
+@@ -103,3 +103,9 @@ class QTests(SimpleTestCase):
+         q = q1 & q2
+         path, args, kwargs = q.deconstruct()
+         self.assertEqual(Q(*args, **kwargs), q)
+
+    def test_connector_validation(self):
+        msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, or None."
+        with self.assertRaisesMessage(ValueError, msg):
+            Q(_connector="evil")
+
+-- 
+2.34.1
+
@@ -31,6 +31,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2024-39329.patch \
            file://CVE-2024-39330.patch \
            file://CVE-2025-32873.patch \
+            file://CVE-2025-64459.patch \
           "

 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"