Compare commits
1 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
|
59a6beb077 |
82
CVE-2025-57833.patch
Normal file
82
CVE-2025-57833.patch
Normal file
@@ -0,0 +1,82 @@
|
|||||||
|
From 4c044fcc866ec226f612c475950b690b0139d243 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jake Howard <git@theorangeone.net>
|
||||||
|
Date: Wed, 13 Aug 2025 14:13:42 +0200
|
||||||
|
Subject: [PATCH] [5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation
|
||||||
|
against SQL injection in column aliases.
|
||||||
|
|
||||||
|
Thanks Eyal Gabay (EyalSec) for the report.
|
||||||
|
|
||||||
|
Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
|
||||||
|
---
|
||||||
|
django/db/models/sql/query.py | 1 +
|
||||||
|
docs/releases/4.2.24.txt | 7 +++++++
|
||||||
|
docs/releases/5.1.12.txt | 7 +++++++
|
||||||
|
docs/releases/5.2.6.txt | 7 +++++++
|
||||||
|
tests/annotations/tests.py | 24 ++++++++++++++++++++++++
|
||||||
|
5 files changed, 46 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
|
||||||
|
index 9b44d017ffe3..5247616086aa 100644
|
||||||
|
--- a/django/db/models/sql/query.py
|
||||||
|
+++ b/django/db/models/sql/query.py
|
||||||
|
@@ -1696,6 +1696,7 @@ def _add_q(
|
||||||
|
return target_clause, needed_inner
|
||||||
|
|
||||||
|
def add_filtered_relation(self, filtered_relation, alias):
|
||||||
|
+ self.check_alias(alias)
|
||||||
|
filtered_relation.alias = alias
|
||||||
|
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
|
||||||
|
filtered_relation.relation_name
|
||||||
|
diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
|
||||||
|
index 6c0d7b668c33..060d6324c74c 100644
|
||||||
|
--- a/tests/annotations/tests.py
|
||||||
|
+++ b/tests/annotations/tests.py
|
||||||
|
@@ -14,6 +14,7 @@
|
||||||
|
Exists,
|
||||||
|
ExpressionWrapper,
|
||||||
|
F,
|
||||||
|
+ FilteredRelation,
|
||||||
|
FloatField,
|
||||||
|
Func,
|
||||||
|
IntegerField,
|
||||||
|
@@ -1164,6 +1165,15 @@ def test_alias_sql_injection(self):
|
||||||
|
with self.assertRaisesMessage(ValueError, msg):
|
||||||
|
Book.objects.annotate(**{crafted_alias: Value(1)})
|
||||||
|
|
||||||
|
+ def test_alias_filtered_relation_sql_injection(self):
|
||||||
|
+ crafted_alias = """injected_name" from "annotations_book"; --"""
|
||||||
|
+ msg = (
|
||||||
|
+ "Column aliases cannot contain whitespace characters, quotation marks, "
|
||||||
|
+ "semicolons, or SQL comments."
|
||||||
|
+ )
|
||||||
|
+ with self.assertRaisesMessage(ValueError, msg):
|
||||||
|
+ Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
|
||||||
|
+
|
||||||
|
def test_alias_forbidden_chars(self):
|
||||||
|
tests = [
|
||||||
|
'al"ias',
|
||||||
|
@@ -1189,6 +1199,11 @@ def test_alias_forbidden_chars(self):
|
||||||
|
with self.assertRaisesMessage(ValueError, msg):
|
||||||
|
Book.objects.annotate(**{crafted_alias: Value(1)})
|
||||||
|
|
||||||
|
+ with self.assertRaisesMessage(ValueError, msg):
|
||||||
|
+ Book.objects.annotate(
|
||||||
|
+ **{crafted_alias: FilteredRelation("authors")}
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
@skipUnless(connection.vendor == "postgresql", "PostgreSQL tests")
|
||||||
|
@skipUnlessDBFeature("supports_json_field")
|
||||||
|
def test_set_returning_functions(self):
|
||||||
|
@@ -1482,3 +1497,12 @@ def test_alias_sql_injection(self):
|
||||||
|
)
|
||||||
|
with self.assertRaisesMessage(ValueError, msg):
|
||||||
|
Book.objects.alias(**{crafted_alias: Value(1)})
|
||||||
|
+
|
||||||
|
+ def test_alias_filtered_relation_sql_injection(self):
|
||||||
|
+ crafted_alias = """injected_name" from "annotations_book"; --"""
|
||||||
|
+ msg = (
|
||||||
|
+ "Column aliases cannot contain whitespace characters, quotation marks, "
|
||||||
|
+ "semicolons, or SQL comments."
|
||||||
|
+ )
|
||||||
|
+ with self.assertRaisesMessage(ValueError, msg):
|
||||||
|
+ Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
|
||||||
@@ -1,3 +1,8 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 4 13:14:40 UTC 2025 - Markéta Machová <mmachova@suse.com>
|
||||||
|
|
||||||
|
- Add security patch CVE-2025-57833.patch (bsc#1248810)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sat Jul 19 06:51:37 UTC 2025 - Markéta Machová <mmachova@suse.com>
|
Sat Jul 19 06:51:37 UTC 2025 - Markéta Machová <mmachova@suse.com>
|
||||||
|
|
||||||
|
|||||||
@@ -32,6 +32,8 @@ Source2: %{name}.keyring
|
|||||||
Source99: python-Django-rpmlintrc
|
Source99: python-Django-rpmlintrc
|
||||||
# PATCH-FIX-UPSTREAM https://github.com/django/django/pull/19639 Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior.
|
# PATCH-FIX-UPSTREAM https://github.com/django/django/pull/19639 Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior.
|
||||||
Patch0: test_strip_tags.patch
|
Patch0: test_strip_tags.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2025-57833.patch bsc#1248810
|
||||||
|
Patch1: CVE-2025-57833.patch
|
||||||
BuildRequires: %{python_module Jinja2 >= 2.9.2}
|
BuildRequires: %{python_module Jinja2 >= 2.9.2}
|
||||||
BuildRequires: %{python_module Pillow >= 6.2.0}
|
BuildRequires: %{python_module Pillow >= 6.2.0}
|
||||||
BuildRequires: %{python_module PyYAML}
|
BuildRequires: %{python_module PyYAML}
|
||||||
|
|||||||
Reference in New Issue
Block a user