From 45f5d17986f70f0aaf4a666b2d71ae6750beeb88 Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Wed, 24 Sep 2025 15:54:51 -0400 Subject: [PATCH] [5.1.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg. Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main. CVE: CVE-2025-64459 Upstream-Status: Backport [https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241] Signed-off-by: Haixiao Yan --- django/db/models/query_utils.py | 4 ++++ tests/queries/test_q.py | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py index a04bbad5e7f8..d8610bc54d46 100644 --- a/django/db/models/query_utils.py +++ b/django/db/models/query_utils.py @@ -47,8 +47,12 @@ class Q(tree.Node): XOR = "XOR" default = AND conditional = True + connectors = (None, AND, OR, XOR) def __init__(self, *args, _connector=None, _negated=False, **kwargs): + if _connector not in self.connectors: + connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:]) + raise ValueError(f"_connector must be one of {connector_reprs}, or None.") super().__init__( children=[*args, *sorted(kwargs.items())], connector=_connector, diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py index f7192a430a12..b21ec929a2ec 100644 --- a/tests/queries/test_q.py +++ b/tests/queries/test_q.py @@ -264,6 +264,11 @@ class QTests(SimpleTestCase): Q(*items, _connector=connector), ) + def test_connector_validation(self): + msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None." + with self.assertRaisesMessage(ValueError, msg): + Q(_connector="evil") + def test_referenced_base_fields(self): # Make sure Q.referenced_base_fields retrieves all base fields from # both filters and F expressions. -- 2.34.1