From b8db807fc4a287d80e37e0786bf054db8016721d Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Wed, 24 Sep 2025 15:54:51 -0400 Subject: [PATCH] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg. Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. CVE: CVE-2025-64459 Upstream-Status: Backport [https://github.com/django/django/commit/98e642c] Remove XOR, which was introduced in v4.1, and omit this operator from this version. Signed-off-by: Haixiao Yan --- django/db/models/query_utils.py | 10 +++++++++- tests/queries/test_q.py | 6 ++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py index f6bc0bd030de..eb62df83dac7 100644 --- a/django/db/models/query_utils.py +++ b/django/db/models/query_utils.py @@ -54,9 +54,17 @@ class Q(tree.Node): OR = 'OR' default = AND conditional = True + connectors = (None, AND, OR) def __init__(self, *args, _connector=None, _negated=False, **kwargs): - super().__init__(children=[*args, *sorted(kwargs.items())], connector=_connector, negated=_negated) + if _connector not in self.connectors: + connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:]) + raise ValueError(f"_connector must be one of {connector_reprs}, or None.") + super().__init__( + children=[*args, *sorted(kwargs.items())], + connector=_connector, + negated=_negated, + ) def _combine(self, other, conn): if not isinstance(other, Q): diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py index 9adff07ef2f3..765715961bf3 100644 --- a/tests/queries/test_q.py +++ b/tests/queries/test_q.py @@ -103,3 +103,9 @@ class QTests(SimpleTestCase): q = q1 & q2 path, args, kwargs = q.deconstruct() self.assertEqual(Q(*args, **kwargs), q) + + def test_connector_validation(self): + msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, or None." + with self.assertRaisesMessage(ValueError, msg): + Q(_connector="evil") + -- 2.34.1