From 415912be531179e90e69f0be2e8bca301de53765 Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Wed, 24 Sep 2025 15:56:03 -0400 Subject: [PATCH] [5.1.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on dictionary expansion. Backport of 3c3f46357718166069948625354b8315a8505262 from main. CVE: CVE-2025-64459 Upstream-Status: Backport [https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671] Signed-off-by: Haixiao Yan --- django/db/models/query.py | 5 +++++ tests/queries/tests.py | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/django/db/models/query.py b/django/db/models/query.py index 153fb1193ebf..3308cd48db00 100644 --- a/django/db/models/query.py +++ b/django/db/models/query.py @@ -42,6 +42,8 @@ MAX_GET_RESULTS = 21 # The maximum number of items to display in a QuerySet.__repr__ REPR_OUTPUT_SIZE = 20 +PROHIBITED_FILTER_KWARGS = frozenset(["_connector", "_negated"]) + class BaseIterable: def __init__( @@ -1495,6 +1497,9 @@ class QuerySet(AltersData): return clone def _filter_or_exclude_inplace(self, negate, args, kwargs): + if invalid_kwargs := PROHIBITED_FILTER_KWARGS.intersection(kwargs): + invalid_kwargs_str = ", ".join(f"'{k}'" for k in sorted(invalid_kwargs)) + raise TypeError(f"The following kwargs are invalid: {invalid_kwargs_str}") if negate: self._query.add_q(~Q(*args, **kwargs)) else: diff --git a/tests/queries/tests.py b/tests/queries/tests.py index 20665ab2cda3..5df231949194 100644 --- a/tests/queries/tests.py +++ b/tests/queries/tests.py @@ -4481,6 +4481,14 @@ class TestInvalidValuesRelation(SimpleTestCase): Annotation.objects.filter(tag__in=[123, "abc"]) +class TestInvalidFilterArguments(TestCase): + def test_filter_rejects_invalid_arguments(self): + school = School.objects.create() + msg = "The following kwargs are invalid: '_connector', '_negated'" + with self.assertRaisesMessage(TypeError, msg): + School.objects.filter(pk=school.pk, _negated=True, _connector="evil") + + class TestTicket24605(TestCase): def test_ticket_24605(self): """ -- 2.34.1