python3-django: Fix missing JSONField in django.db.models

Fix the following error introduced by CVE-2024-42005.patch: AttributeError: module 'django.db.models' has no attribute 'JSONField' The patch assumes JSONField is available from django.db.models, which is not the case for this Django version. Revert the changes in the following files to restore compatibility: tests/expressions/models.py tests/expressions/test_queryset_values.py Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Haixiao Yan <haixiao.yan.cn@windriver.com> 2026-01-14 10:43:12 +0800
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-15 13:45:13 +0100
commit: c1d50d3e50c1348e75187c4cfd71e05b3a4ccdef (patch)
tree: 2967c5df48b14d1bd28318f37837348313f45ba7 /meta-python/recipes-devtools
parent: bca6ddaa0d791bd2a95bf72edca3bb70b03e8cce (diff)
download: meta-openembedded-c1d50d3e50c1348e75187c4cfd71e05b3a4ccdef.tar.gz
2 files changed, 78 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch b/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch
new file mode 100644
index 0000000000..95a31305a4
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch
@@ -0,0 +1,77 @@
+From c019f2cb6fbe266e09c71cd890a22cbce3769b05 Mon Sep 17 00:00:00 2001
+From: Haixiao Yan <haixiao.yan.cn@windriver.com>
+Date: Tue, 13 Jan 2026 14:44:32 +0800
+Subject: [PATCH] python3-django: Fix missing JSONField in django.db.models
+Fix the following error introduced by CVE-2024-42005.patch:
+AttributeError: module 'django.db.models' has no attribute 'JSONField'
+The patch assumes JSONField is available from django.db.models, which
+is not the case for this Django version.
+Revert the changes in the following files to restore compatibility:
+tests/expressions/models.py
+tests/expressions/test_queryset_values.py
+Upstream-Status: Inappropriate [Fix the regression in the previous fix for CVE-2024-42005]
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ tests/expressions/models.py               |  7 -------
+ tests/expressions/test_queryset_values.py | 17 ++---------------
+ 2 files changed, 2 insertions(+), 22 deletions(-)
+diff --git a/tests/expressions/models.py b/tests/expressions/models.py
+index fb8093849cba..33f7850ac16e 100644
+--- a/tests/expressions/models.py
+++ b/tests/expressions/models.py
+@@ -97,10 +97,3 @@ class UUID(models.Model):
+ 
+     def __str__(self):
+         return "%s" % self.uuid
+-
+-
+-class JSONFieldModel(models.Model):
+-    data = models.JSONField(null=True)
+-
+-    class Meta:
+-        required_db_features = {"supports_json_field"}
+diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
+index bd52b8efc194..0804531869d9 100644
+--- a/tests/expressions/test_queryset_values.py
+++ b/tests/expressions/test_queryset_values.py
+@@ -1,8 +1,8 @@
+ from django.db.models.aggregates import Sum
+ from django.db.models.expressions import F
+-from django.test import TestCase, skipUnlessDBFeature
+from django.test import TestCase
+ 
+-from .models import Company, Employee, JSONFieldModel
+from .models import Company, Employee
+ 
+ 
+ class ValuesExpressionsTests(TestCase):
+@@ -36,19 +36,6 @@ class ValuesExpressionsTests(TestCase):
+         with self.assertRaisesMessage(ValueError, msg):
+             Company.objects.values(**{crafted_alias: F("ceo__salary")})
+ 
+-    @skipUnlessDBFeature("supports_json_field")
+-    def test_values_expression_alias_sql_injection_json_field(self):
+-        crafted_alias = """injected_name" from "expressions_company"; --"""
+-        msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+-        )
+-        with self.assertRaisesMessage(ValueError, msg):
+-            JSONFieldModel.objects.values(f"data__{crafted_alias}")
+-
+-        with self.assertRaisesMessage(ValueError, msg):
+-            JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
+-
+     def test_values_expression_group_by(self):
+         # values() applies annotate() first, so values selected are grouped by
+         # id, not firstname.
+-- 
+2.34.1
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index f2bb1de4f2..8e826b9b61 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -33,6 +33,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2025-32873.patch \
            file://CVE-2025-64459.patch \
            file://Fix-undefined-_lazy_re_compile.patch \
+            file://Fix-missing-JSONField-in-django.db.mo.patch \
           "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
author	Haixiao Yan <haixiao.yan.cn@windriver.com>	2026-01-14 10:43:12 +0800
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-15 13:45:13 +0100
commit	c1d50d3e50c1348e75187c4cfd71e05b3a4ccdef (patch)
tree	2967c5df48b14d1bd28318f37837348313f45ba7 /meta-python/recipes-devtools
parent	bca6ddaa0d791bd2a95bf72edca3bb70b03e8cce (diff)
download	meta-openembedded-c1d50d3e50c1348e75187c4cfd71e05b3a4ccdef.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch b/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch new file mode 100644 index 0000000000..95a31305a4 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch
@@ -0,0 +1,77 @@
		1	From c019f2cb6fbe266e09c71cd890a22cbce3769b05 Mon Sep 17 00:00:00 2001
		2	From: Haixiao Yan <haixiao.yan.cn@windriver.com>
		3	Date: Tue, 13 Jan 2026 14:44:32 +0800
		4	Subject: [PATCH] python3-django: Fix missing JSONField in django.db.models
		5
		6	Fix the following error introduced by CVE-2024-42005.patch:
		7
		8	AttributeError: module 'django.db.models' has no attribute 'JSONField'
		9
		10	The patch assumes JSONField is available from django.db.models, which
		11	is not the case for this Django version.
		12
		13	Revert the changes in the following files to restore compatibility:
		14	tests/expressions/models.py
		15	tests/expressions/test_queryset_values.py
		16
		17	Upstream-Status: Inappropriate [Fix the regression in the previous fix for CVE-2024-42005]
		18
		19	Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
		20	---
		21	tests/expressions/models.py \| 7 -------
		22	tests/expressions/test_queryset_values.py \| 17 ++---------------
		23	2 files changed, 2 insertions(+), 22 deletions(-)
		24
		25	diff --git a/tests/expressions/models.py b/tests/expressions/models.py
		26	index fb8093849cba..33f7850ac16e 100644
		27	--- a/tests/expressions/models.py
		28	+++ b/tests/expressions/models.py
		29	@@ -97,10 +97,3 @@ class UUID(models.Model):
		30
		31	def __str__(self):
		32	return "%s" % self.uuid
		33	-
		34	-
		35	-class JSONFieldModel(models.Model):
		36	- data = models.JSONField(null=True)
		37	-
		38	- class Meta:
		39	- required_db_features = {"supports_json_field"}
		40	diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
		41	index bd52b8efc194..0804531869d9 100644
		42	--- a/tests/expressions/test_queryset_values.py
		43	+++ b/tests/expressions/test_queryset_values.py
		44	@@ -1,8 +1,8 @@
		45	from django.db.models.aggregates import Sum
		46	from django.db.models.expressions import F
		47	-from django.test import TestCase, skipUnlessDBFeature
		48	+from django.test import TestCase
		49
		50	-from .models import Company, Employee, JSONFieldModel
		51	+from .models import Company, Employee
		52
		53
		54	class ValuesExpressionsTests(TestCase):
		55	@@ -36,19 +36,6 @@ class ValuesExpressionsTests(TestCase):
		56	with self.assertRaisesMessage(ValueError, msg):
		57	Company.objects.values(**{crafted_alias: F("ceo__salary")})
		58
		59	- @skipUnlessDBFeature("supports_json_field")
		60	- def test_values_expression_alias_sql_injection_json_field(self):
		61	- crafted_alias = """injected_name" from "expressions_company"; --"""
		62	- msg = (
		63	- "Column aliases cannot contain whitespace characters, quotation marks, "
		64	- "semicolons, or SQL comments."
		65	- )
		66	- with self.assertRaisesMessage(ValueError, msg):
		67	- JSONFieldModel.objects.values(f"data__{crafted_alias}")
		68	-
		69	- with self.assertRaisesMessage(ValueError, msg):
		70	- JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
		71	-
		72	def test_values_expression_group_by(self):
		73	# values() applies annotate() first, so values selected are grouped by
		74	# id, not firstname.
		75	--
		76	2.34.1
		77


diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index f2bb1de4f2..8e826b9b61 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -33,6 +33,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
33	file://CVE-2025-32873.patch \	33	file://CVE-2025-32873.patch \
34	file://CVE-2025-64459.patch \	34	file://CVE-2025-64459.patch \
35	file://Fix-undefined-_lazy_re_compile.patch \	35	file://Fix-undefined-_lazy_re_compile.patch \
		36	file://Fix-missing-JSONField-in-django.db.mo.patch \
36	"	37	"
37		38
38	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"	39	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"