mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg.

Browse Source 
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.
This commit is contained in:
Jacob Walls
2025-09-24 15:54:51 -04:00
committed by Natalia
parent c880530ddd
commit 98e642c691
5 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tests/queries/test_q.py
View File

@@ -272,6 +272,11 @@ class QTests(SimpleTestCase):
Q(*items, _connector=connector),
)
def test_connector_validation(self):
msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None."
with self.assertRaisesMessage(ValueError, msg):
Q(_connector="evil")
def test_referenced_base_fields(self):
# Make sure Q.referenced_base_fields retrieves all base fields from
# both filters and F expressions.