pool/python-Django
SHA256
17
0
Fork 3
Code Issues Pull Requests Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory pool:leap-16.0 pool:leap-16.1
..
compare: pool:leap-16.1
Branches Tags
pool:factory pool:leap-16.0 pool:leap-16.1

1 Commits
factory ... leap-16.1

Author SHA256 Message Date
Markéta Calábková
59a6beb077 CVE-2025-57833 2025-09-04 15:16:57 +02:00
10 changed files with 179 additions and 298 deletions
Expand all files Collapse all files

82
CVE-2025-57833.patch Normal file
View File

@@ -0,0 +1,82 @@
From 4c044fcc866ec226f612c475950b690b0139d243 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 13 Aug 2025 14:13:42 +0200
Subject: [PATCH] [5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation
against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report.
Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
---
django/db/models/sql/query.py | 1 +
docs/releases/4.2.24.txt | 7 +++++++
docs/releases/5.1.12.txt | 7 +++++++
docs/releases/5.2.6.txt | 7 +++++++
tests/annotations/tests.py | 24 ++++++++++++++++++++++++
5 files changed, 46 insertions(+)
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 9b44d017ffe3..5247616086aa 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1696,6 +1696,7 @@ def _add_q(
return target_clause, needed_inner
def add_filtered_relation(self, filtered_relation, alias):
+ self.check_alias(alias)
filtered_relation.alias = alias
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
filtered_relation.relation_name
diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
index 6c0d7b668c33..060d6324c74c 100644
--- a/tests/annotations/tests.py
+++ b/tests/annotations/tests.py
@@ -14,6 +14,7 @@
Exists,
ExpressionWrapper,
F,
+ FilteredRelation,
FloatField,
Func,
IntegerField,
@@ -1164,6 +1165,15 @@ def test_alias_sql_injection(self):
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)})
+ def test_alias_filtered_relation_sql_injection(self):
+ crafted_alias = """injected_name" from "annotations_book"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
+
def test_alias_forbidden_chars(self):
tests = [
'al"ias',
@@ -1189,6 +1199,11 @@ def test_alias_forbidden_chars(self):
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)})
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.annotate(
+ **{crafted_alias: FilteredRelation("authors")}
+ )
+
@skipUnless(connection.vendor == "postgresql", "PostgreSQL tests")
@skipUnlessDBFeature("supports_json_field")
def test_set_returning_functions(self):
@@ -1482,3 +1497,12 @@ def test_alias_sql_injection(self):
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.alias(**{crafted_alias: Value(1)})
+
+ def test_alias_filtered_relation_sql_injection(self):
+ crafted_alias = """injected_name" from "annotations_book"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})

68
Django-5.2.4.checksum.txt Normal file
View File

@@ -0,0 +1,68 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This file contains MD5, SHA1, and SHA256 checksums for the
source-code tarball and wheel files of Django 5.2.4, released July 2, 2025.
To use this file, you will need a working install of PGP or other
compatible public-key encryption software. You will also need to have
the Django release manager's public key in your keyring. This key has
the ID ``2EE82A8D9470983E`` and can be imported from the MIT
keyserver, for example, if using the open-source GNU Privacy Guard
implementation of PGP:
gpg --keyserver pgp.mit.edu --recv-key 2EE82A8D9470983E
or via the GitHub API:
curl https://github.com/nessita.gpg | gpg --import -
Once the key is imported, verify this file:
gpg --verify Django-5.2.4.checksum.txt
Once you have verified this file, you can use normal MD5, SHA1, or SHA256
checksumming applications to generate the checksums of the Django
package and compare them to the checksums listed below.
Release packages
================
https://www.djangoproject.com/download/5.2.4/tarball/
https://www.djangoproject.com/download/5.2.4/wheel/
MD5 checksums
=============
6ecc4875e8cdc08706faea1cc4740fdf django-5.2.4.tar.gz
fee657f7686462d388f274c5f92b634a django-5.2.4-py3-none-any.whl
SHA1 checksums
==============
de45d44e1bb2ceb1c08b8fd0846de920874f71a1 django-5.2.4.tar.gz
a6a7904e3749a0e8937a50643293889929b4b6f7 django-5.2.4-py3-none-any.whl
SHA256 checksums
================
a1228c384f8fa13eebc015196db7b3e08722c5058d4758d20cb287503a540d8f django-5.2.4.tar.gz
60c35bd96201b10c6e7a78121bd0da51084733efa303cc19ead021ab179cef5e django-5.2.4-py3-none-any.whl
-----BEGIN PGP SIGNATURE-----
iQJcBAEBCABGFiEEW1sboQ2FrHxcduOPLugqjZRwmD4FAmhlfcIoHDEyNDMwNCtu
ZXNzaXRhQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbQAKCRAu6CqNlHCYPj5DD/94
KOuOZ5JHtZWknqi1JeV1akzB/RpY7lhL9SbJbVXhdAxOY9Cn4eUG7NsPWa9JnhX1
F/2geBE5mjOZen4ARtGHWxa5vqidqUbscrU9AkqPLn6aecEKi2jXXNkYmmWw/37K
wb92BQtuWkaXyiZ4E6Sledx9yFhcqMDFg27CdNYfAqUWofI6zzSmLIzOlOSVR9Sc
uDrfRqQ4GXlRGT5pIkcIxE0ZKToUYrKgn99PZOmBcLfJgQ4VBt62J6SzZAhhElb3
DUMcVhG2XNIhg7v7DwlVodowDYQdRi2H/ahAa7/m1+uugRbysoGSLLwP+50tDjlj
07zxoJsrL5R9zaMp4pcXQN4bUy3rDz94DkjlXO51f8LwDdStvk4VOYan1W5S9BhP
R0conCFfcg4+iK0pV5e/GeeTwBRHQw8p5RuWfrEpKFi/XQtT0u01hqUGppeuZ9wI
f+Ud9RA8Nrw0ouli4WvfH0RVFuMgUFqScwO88oatuUH5CDPjlV+5usNb7FrmZXv6
AWRopONOcYGF07+FYh0nsoE8enWyxE+JWTJzxT5PGZ3buUO0hlnJ+auoJv8yOVii
ELCSUyi93glWonCBrS41XrNO6+6K/8V9V6iv9/PdGwF1GszbX5Rx4e2lDMA7crYh
1qKGaV3+iAO+Y+vXt6VTy6h5GLg9hun+RQ8TU3Guyg==
=d9C5
-----END PGP SIGNATURE-----

67
Django-5.2.9.checksum.txt
View File

@@ -1,67 +0,0 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This file contains MD5, SHA1, and SHA256 checksums for the
source-code tarball and wheel files of Django 5.2.9, released December 2, 2025.
To use this file, you will need a working install of PGP or other
compatible public-key encryption software. You will also need to have
the Django release manager's public key in your keyring. This key has
the ID ``2EE82A8D9470983E`` and can be imported from the MIT
keyserver, for example, if using the open-source GNU Privacy Guard
implementation of PGP:
gpg --keyserver pgp.mit.edu --recv-key 2EE82A8D9470983E
or via the GitHub API:
curl https://github.com/nessita.gpg | gpg --import -
Once the key is imported, verify this file:
gpg --verify Django-5.2.9.checksum.txt
Once you have verified this file, you can use normal MD5, SHA1, or SHA256
checksumming applications to generate the checksums of the Django
package and compare them to the checksums listed below.
Release packages
================
https://www.djangoproject.com/download/5.2.9/tarball/
https://www.djangoproject.com/download/5.2.9/wheel/
MD5 checksums
=============
e7d89ddfdca79542039dbab31e4bede8 django-5.2.9.tar.gz
42dd57f28b8dd5750ef76b64277d3e9e django-5.2.9-py3-none-any.whl
SHA1 checksums
==============
7a086625e45275159590da36818923da76beeb8d django-5.2.9.tar.gz
c0808a610ea903a17736634e9c21556ea9d675e4 django-5.2.9-py3-none-any.whl
SHA256 checksums
================
16b5ccfc5e8c27e6c0561af551d2ea32852d7352c67d452ae3e76b4f6b2ca495 django-5.2.9.tar.gz
3a4ea88a70370557ab1930b332fd2887a9f48654261cdffda663fef5976bb00a django-5.2.9-py3-none-any.whl
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEW1sboQ2FrHxcduOPLugqjZRwmD4FAmku3VwACgkQLugqjZRw
mD5F3g//dIdnKXZmSm2DAUNOKK97RSceCWzcbL9GAEclVz2F1Nnj8ZkXM+T060Lk
yYZnWVpfwyux/ak1tjWWKfI28jrZ8TQBq5l/MHELYL4s2exel9oQXFqkfyqUlwga
S/OdhXZavabW+aAdVe/OMC7AnFbCRo5dbM1XF9U5KOtEG2FsU0RkqOyIpXZvZ/Tk
jQD7DzGco7lWEbtiZSe9sAPzImW3hRWKHkxo+IRiAPqNNRjIlK9o/voiqWzEYco6
A3wWLSmAgUDTXfkcSbkVsETev7dpzhlBQZN1CDTMR3fzsLevdvqxMZYaENwg+K/x
ARtUaMBsVhbB/Z4NO0OYrHe4aQbDxS/e2RjBWQG5hIXWwhbNNtrfZ9kxnJRcRgur
xyl3GBuN9vLC0BgGpdmg0FTBwpervJiHYcmcxY93IxcM7/WMb3qFEN7XZxJIrwW/
5qBa3+q1sjoqI1RF7MIhCUAhDO56MRFx1dn1iF8iokXjrKpOmf4pKr/1qujaC8rs
KN+Fs99PHGmbXgpb/AfP9nVDPTZFFO2iLbpwICOqTmT9yiFI7lYRt2N4ozb0hcI4
o/1LkjE9JDpYKa1DeoIwlMnC18EJJfI3NMDIHzUFzS0jLGtIoM5A7xf4fK0+t26U
AMZIegmynfVhyfMHUaVwPL9LFtiFqdUX7fPTrFlO2pmtCAFMgy8=
=kZfB
-----END PGP SIGNATURE-----

3
django-5.2.4.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a1228c384f8fa13eebc015196db7b3e08722c5058d4758d20cb287503a540d8f
size 10831909

3
django-5.2.9.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:16b5ccfc5e8c27e6c0561af551d2ea32852d7352c67d452ae3e76b4f6b2ca495
size 10848762

68
python-Django.changes
View File

@@ -1,71 +1,7 @@
-------------------------------------------------------------------
Mon Dec 8 11:54:46 UTC 2025 - Markéta Machová <mmachova@suse.com>
Thu Sep 4 13:14:40 UTC 2025 - Markéta Machová <mmachova@suse.com>
- Update to 5.2.9 (bsc#1254437)
* CVE-2025-13372: Potential SQL injection in FilteredRelation column
aliases on PostgreSQL
* CVE-2025-64460: Potential denial-of-service vulnerability in XML
Deserializer
* Fixed a crash on Python 3.14+ that prevented template tag functions
from being registered
* Fixed more bugs and regressions, see upstream release notes
-------------------------------------------------------------------
Thu Nov 6 07:20:08 UTC 2025 - Markéta Machová <mmachova@suse.com>
- Update to 5.2.8 (bsc#1252926)
* CVE-2025-64459: Potential SQL injection via _connector keyword argument
* Added compatibility for oracledb 3.4.0
* Fixed a bug in Django 5.2 where QuerySet.first() and QuerySet.last()
raised an error on querysets performing aggregation that selected all
fields of a composite primary key.
-------------------------------------------------------------------
Thu Oct 2 09:41:30 UTC 2025 - Markéta Machová <mmachova@suse.com>
- Update to 5.2.7 (bsc#1250485, bsc#1250487)
* CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
aggregate(), and extra() on MySQL and MariaDB
* CVE-2025-59682: Potential partial directory-traversal via archive.extract()
* Fixed a regression in Django 5.2 that reduced the color contrast of the
label of filter_horizontal and filter_vertical widgets within a TabularInline
-------------------------------------------------------------------
Thu Sep 4 10:02:00 UTC 2025 - Markéta Machová <mmachova@suse.com>
- Update to 5.2.6 (bsc#1248810)
* CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases
* Fixed a bug where using QuerySet.values() or values_list() with a ForeignObject
composed of multiple fields returned incorrect results instead of tuples of
the referenced fields
- Rebased test_strip_tags.patch
-------------------------------------------------------------------
Tue Aug 12 10:52:26 UTC 2025 - Markéta Machová <mmachova@suse.com>
- Update to 5.2.5
* Fixed a regression in Django 5.2.1 that prevented the usage of UNNEST
PostgreSQL strategy of QuerySet.bulk_create() with foreign keys
* Fixed a crash in Django 5.2 when filtering against a composite primary key
using a tuple containing expressions
* Fixed a crash in Django 5.2 when validating a model that uses
GeneratedField or constraints composed of Q and Case lookups
* Added compatibility for docutils 0.22
* Fixed a crash in Django 5.2 when using a ManyToManyField on a model with
a composite primary key, by extending the fields.E347 system check
- Convert to libalternatives on SLE-16-based and newer systems
-------------------------------------------------------------------
Fri Aug 1 02:09:01 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
- Reinstate Requires on tzdata, a lot of packages use it.
-------------------------------------------------------------------
Wed Jul 30 06:03:44 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
- Add patch support-msgfmt-0.25.patch:
* Support msgfmt 0.25 error messages changes. (bsc#1246966)
- Remove unneeded Requires on tzdata.
- Add security patch CVE-2025-57833.patch (bsc#1248810)
-------------------------------------------------------------------
Sat Jul 19 06:51:37 UTC 2025 - Markéta Machová <mmachova@suse.com>

52
python-Django.keyring
View File

@@ -130,55 +130,3 @@ BzeRu0mAvjLkLNegQIvfdVXfYIcwUQQB8OAzoz3qzi8vji82MBQO+gkYrlteivoF
z+gZLcBuv/NdNg==
=B8gH
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGV2bPUBEADQ/fSfsrdv/aGrUmyQ1ZmZNSDqlH8GXQH+LQiqOc5QjSgq09kv
YC5H3+yRmj4ENYJrD48Mce54k99U6LXhIopmPnCwnQjhpkXFqaZt8KtlhL/5VhIc
BFSodLkEFENWzpuxOkshOJYU8RxLO6MPQGKkokEGhxUHnNW5kwmGa93Iscu04SZR
L2pAHfYsnxB2Z5HAl4Os6iy7CKP8T5UQhGxwxojvjPyRJTb3IUDifjafPl4kbQyN
GdpgVnjHQtOzoVcXCsU4ig105IzydIf5BTYng3+idmlhQ1u8JzGETdlBvCtxg1K2
FmGD6IFzyvksdf44DNmxXmGnpMJK3y0+dpFzo33YBE3kFnYm57bwY55tdKmGnDyK
rR/1mARVOLQQYrDT6hgggNwRfqpTk28nU463LnXrLS89zaOxGQhfLm7w9kZ69WDd
UpI4RdZjA/klQJhPmLS7b8YmmZstvoZitsMgpPiexO+x7igMvWvuNyE8QL2EZ54K
6ojVObAdIbQe4LbiYCSut81F6e6tRsX3Jb46y5iUCZEkHvGsrZW6V1l/AIuYBecO
Xr5mmk5W4TpUlXTnyDFJr/FFtWfR1j2Z3ti+pZqAO4GUEUAjox+Dz/shKpmen7Qm
aj/Y/nuvD70B3c5XTWn62zTXVPYVX76sDnIuVsh/kORSP32OqMkesFKT9QARAQAB
tCdKYWNvYiBXYWxscyA8amFjb2J0eWxlcndhbGxzQGdtYWlsLmNvbT6JAlQEEwEI
AD4WIQRT1GlC4Aaio+7ci8gTFAP00W2NxwUCZXZs9QIbAwUJB4Ye+wULCQgHAgYV
CgkICwIEFgIDAQIeAQIXgAAKCRATFAP00W2NxwWVD/9ZTx8q3qsAXfOaWUNugaDM
oyUMa4bURfk82AXLVDju9fQQv/5wDlvQ+ejMDHE0pnvmQSa8bTol8y2IXO9Kl3ak
0NU3oOh3iJKk3q+FtxibGmIM5i095h2T97IBKJrZf6I1O0a9ZfMMDXbVpTeGIRDf
b55G6GG1jhdJa3SgtudUcGizlM0i7UrntUktmbnvWyYzbjWIKdYRq2W7vlEgKvNs
NZFVeO1KqLR92xUAIL+V7HtQ3TetyanYRH91Q8fZR9p+ScEOKJyfrpRa/IfrJKlg
k6MOqGeVaOd4nOX042S1+u0TU7HrVVVhL+Vru4utSYg9ZucM06wZOgR0A6Vay7Ap
Y43nGxRhc//auOJSh4nIQmtyup5+YiyKhynEnSF3pGuKXy64wVOO9XdW69bmyRxz
gAz4W5yTjmNBkQUYAGteJXo4fhDxWYzmeAIE7l5StTbgSZNLbndwmiWEyy8WzJtp
5xzluh+//39D+TUStZKG1MerhqnmJj3CBSTeeiKpW9QOtC4y2vuWzNp3XHS9FjeW
GOz5seJ5VDokkzP05XOfJ9SyblFAOW/Zteh2wdOb+S+/pUz+OukwPZthMwRsl0Dc
U+fx2mK+9I9TBJWgUHO1aXm6FlcyDnSlzc5oM4wXKF4sqByjjuCtYzK8UtEwlKNm
Pyboq4Y5RhYrW63LDl+SerkCDQRldmz1ARAAvkmAuvLXwZ86mubWYQFsmy3UKxdF
cewS8XikjsEZPvf0kYgi9wlMTRDvWlEmNGp9r4NWH36zm6uBjK9hxn+rNsiqkYez
MPTgwvxruSJWJPaFqK096Y8AMuk9SobMsydtlxuChQ3RwYo+j/v1csAdD88igzjW
3HKCzJ0e76ILdfbqlh8tJ+nbXvFgVVV2+vV996PTp4dQedc4/VzFGv00Mejkmhd3
nUBqdmG9mgqR4LK5xWCHXSVqgdVeH0urOiEN57aOie/30q6IegkfrKCSq1zGJE5o
WApzrOqo0UEDDND6PXDuLvzVuot3M/YvKjUXx8FatJC5BLSH0I9AKBWqPGvjk07V
IoI0CexyKoJKIkGl/ZUyRsorqmqg1671HUYNAFEbIwxeJUQkjTwqUxGXSjei7t8a
wzuZsA81lhXpwt6DfuQQ9XkDrc4dfyEuvkV9PforZxz8dVlDiORw3hPYqBjbU0hy
6D4Ytq3f88azYvZF8GE4uSYzvN6XeRhLr1hnfAFfGQFdNwg4qufjo8QYoQsYe6RZ
uenL1z5vkGRUz03l11GiaOqEJDJTy3dGACeQqAjjno8UL9Nb7PUWfnZL41zOGL8s
DHee7hX2+hsRPMoiqCzJrCjU52G5qGEB8d44VjNM8y435jyfBAh8ugv4rsSonzy+
ASe0msXK6bLxAy0AEQEAAYkCPAQYAQgAJhYhBFPUaULgBqKj7tyLyBMUA/TRbY3H
BQJldmz1AhsMBQkHhh77AAoJEBMUA/TRbY3HlA0QAI4DQ3MNfkpIZw/aKEetCaVB
LIVEfugoDcUQxiwc00G1aEuxpBdnfT5wFzUodUFJuIntGcYUMJwvAC3RB4ZANuoP
F2j/2JIp42GYhBjNSyy0ix/E2C/95HZDzsvDB4EZ0VMvec+MgAweTZhxZfdCsmId
lMWFfn3UM5FhtsOqLmw11T/6PdDgcyomrsp4ghHph9dJvMGiqXjysTSg3OMxzQeU
lzjX+6C4dY6AcpqAkeG+zRUYSQKsHQwSOxK7zon/hAA2+Gbvu+pzr0jHnatX8Fkd
eOBc6xZpnoQcubj/PXEBhXV4868jW/RNRG5ZXoQpnf63R0616JePkUKnXxs61JD9
oBuERUPn+HK346QNgNDRhzAufPYsXlPOPtU6poZqinMhsbcpW5Konjp2yLVwosXn
UPGLzZZHy9csF3VcWV96bM8WUEkFNfflisi1nE7yqC/CKgUjK0HUFDhyNHuCICTC
e9tvw2epbaLkid0NxV+a0RWWiUq2kMeTBUezVC27P+LAZ8aTZxHPyERtJlBgTCfm
1hWJ3CcIc4LT54AS3allzTv0f6iHX9WpJhfr3WPIY1Xt/d466l3VSofktwmpTEr2
DAECOit/CE1rFy1C+MHinAUX6C7ajg6msIE6uZHFrbHlSU8/WrbvZ1e4Nc7w7e/N
R182g26K1DaCZphtoq8Z
=0YqB
-----END PGP PUBLIC KEY BLOCK-----

26
python-Django.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package python-Django
#
# Copyright (c) 2025 SUSE LLC and contributors
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,13 +20,8 @@
%bcond_with selenium
%bcond_with memcached
%{?sle15_python_module_pythons}
%if 0%{?suse_version} > 1500
%bcond_without libalternatives
%else
%bcond_with libalternatives
%endif
Name: python-Django
Version: 5.2.9
Version: 5.2.4
Release: 0
Summary: A high-level Python Web framework
License: BSD-3-Clause
@@ -36,10 +31,9 @@ Source1: https://www.djangoproject.com/m/pgp/Django-%{version}.checksum.t
Source2: %{name}.keyring
Source99: python-Django-rpmlintrc
# PATCH-FIX-UPSTREAM https://github.com/django/django/pull/19639 Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior.
# fixed and refined upstream, but some of our interpreters weren't updated to a new version yet and still only carry the patch, so providing the non-conditional version
Patch0: test_strip_tags.patch
# PATCH-FIX-UPSTREAM https://github.com/django/django/pull/19530 Fixed #36421 -- Made test_msgfmt_error_including_non_ascii compatible with with msgfmt 0.25.
Patch1: support-msgfmt-0.25.patch
# PATCH-FIX-UPSTREAM CVE-2025-57833.patch bsc#1248810
Patch1: CVE-2025-57833.patch
BuildRequires: %{python_module Jinja2 >= 2.9.2}
BuildRequires: %{python_module Pillow >= 6.2.0}
BuildRequires: %{python_module PyYAML}
@@ -64,6 +58,8 @@ Requires: python
Requires: python-asgiref >= 3.7.0
Requires: python-sqlparse >= 0.3.1
Requires: python-tzdata
Requires(post): update-alternatives
Requires(postun): update-alternatives
Recommends: python-Jinja2 >= 2.9.2
Recommends: python-Pillow >= 6.2.0
Recommends: python-PyYAML
@@ -77,13 +73,6 @@ Obsoletes: python-django < %{version}
Provides: python-South = %{version}
Obsoletes: python-South < %{version}
BuildArch: noarch
%if %{with libalternatives}
BuildRequires: alts
Requires: alts
%else
Requires(post): update-alternatives
Requires(postun): update-alternatives
%endif
%if %{with memcached}
BuildRequires: %{python_module pylibmc}
BuildRequires: %{python_module pymemcache}
@@ -144,9 +133,6 @@ export PATH=%{_libdir}/chromium:$PATH
%python_expand PYTHONPATH=.:%{buildroot}%{$python_sitelib} $python tests/runtests.py -v 2
%endif
%pre
%python_libalternatives_reset_alternative django-admin
%post
%{python_install_alternative django-admin}

69
support-msgfmt-0.25.patch
View File

@@ -1,69 +0,0 @@
From 3609c463a4cfc5a7e76f4d4ba008c5096b1f1437 Mon Sep 17 00:00:00 2001
From: Jericho Serrano <118679068+jericho1050@users.noreply.github.com>
Date: Fri, 6 Jun 2025 04:58:29 +0800
Subject: [PATCH] Fixed #36421 -- Made test_msgfmt_error_including_non_ascii
compatible with msgfmt 0.25.
---
tests/i18n/test_compilation.py | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/tests/i18n/test_compilation.py b/tests/i18n/test_compilation.py
index 4b0bb9f6bb1..3a57dbf0765 100644
--- a/tests/i18n/test_compilation.py
+++ b/tests/i18n/test_compilation.py
@@ -1,5 +1,6 @@
import gettext as gettext_module
import os
+import re
import stat
import unittest
from io import StringIO
@@ -8,10 +9,12 @@
from unittest import mock
from django.core.management import CommandError, call_command, execute_from_command_line
-from django.core.management.utils import find_command
+from django.core.management.utils import find_command, popen_wrapper
from django.test import SimpleTestCase, override_settings
from django.test.utils import captured_stderr, captured_stdout
from django.utils import translation
+from django.utils.encoding import DEFAULT_LOCALE_ENCODING
+from django.utils.functional import cached_property
from django.utils.translation import gettext
from .utils import RunInTmpDirMixin, copytree
@@ -254,6 +257,17 @@ def test_no_dirs_accidentally_skipped(self):
class CompilationErrorHandling(MessageCompilationTests):
+ @cached_property
+ def msgfmt_version(self):
+ # Note that msgfmt is installed via GNU gettext tools, hence the msgfmt
+ # version should align to gettext.
+ out, err, status = popen_wrapper(
+ ["msgfmt", "--version"],
+ stdout_encoding=DEFAULT_LOCALE_ENCODING,
+ )
+ m = re.search(r"(\d+)\.(\d+)\.?(\d+)?", out)
+ return tuple(int(d) for d in m.groups() if d is not None)
+
def test_error_reported_by_msgfmt(self):
# po file contains wrong po formatting.
with self.assertRaises(CommandError):
@@ -278,7 +292,14 @@ def test_msgfmt_error_including_non_ascii(self):
call_command(
"compilemessages", locale=["ko"], stdout=StringIO(), stderr=stderr
)
- self.assertIn("' cannot start a field name", stderr.getvalue())
+ if self.msgfmt_version < (0, 25):
+ error_msg = "' cannot start a field name"
+ else:
+ error_msg = (
+ "a field name starts with a character that is not alphanumerical "
+ "or underscore"
+ )
+ self.assertIn(error_msg, stderr.getvalue())
class ProjectAndAppTests(MessageCompilationTests):

39
test_strip_tags.patch
View File

@@ -10,11 +10,11 @@ Subject: [PATCH] Fixed #36499 -- Adjusted
tests/utils_tests/test_html.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
Index: django-5.2.6/tests/test_utils/tests.py
===================================================================
--- django-5.2.6.orig/tests/test_utils/tests.py
+++ django-5.2.6/tests/test_utils/tests.py
@@ -945,10 +945,10 @@ class HTMLEqualTests(SimpleTestCase):
diff --git a/tests/test_utils/tests.py b/tests/test_utils/tests.py
index 494a0ea8d384..0de19eae9072 100644
--- a/tests/test_utils/tests.py
+++ b/tests/test_utils/tests.py
@@ -959,10 +959,10 @@ def test_parsing_errors(self):
self.assertHTMLEqual("", "<p>")
error_msg = (
"First argument is not valid HTML:\n"
@@ -22,28 +22,25 @@ Index: django-5.2.6/tests/test_utils/tests.py
+ "('Unexpected end tag `div` (Line 1, Column 0)', (1, 0))"
)
with self.assertRaisesMessage(AssertionError, error_msg):
- self.assertHTMLEqual("< div></div>", "<div></div>")
- self.assertHTMLEqual("< div></ div>", "<div></div>")
+ self.assertHTMLEqual("</div>", "<div></div>")
with self.assertRaises(HTMLParseError):
parse_html("</p>")
Index: django-5.2.6/tests/utils_tests/test_html.py
===================================================================
--- django-5.2.6.orig/tests/utils_tests/test_html.py
+++ django-5.2.6/tests/utils_tests/test_html.py
@@ -162,13 +162,13 @@ class TestUtilsHtml(SimpleTestCase):
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 4ce552e79a0d..205eaeca1668 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -142,10 +142,10 @@ def test_strip_tags(self):
("&gotcha&#;<>", "&gotcha&#;<>"),
("<sc<!-- -->ript>test<<!-- -->/script>", "ript>test"),
("<script>alert()</script>&h", "alert()h"),
(
"><!" + ("&" * 16000) + "D",
- ">" if htmlparser_fixed else "><!" + ("&" * 16000) + "D",
+ ">",
),
- ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
+ ("><!" + ("&" * 16000) + "D", ">"),
("X<<<<br>br>br>br>X", "XX"),
("<" * 50 + "a>" * 50, ""),
(
">" + "<a" * 500 + "a",
- ">" if htmlparser_fixed else ">" + "<a" * 500 + "a",
+ ">",
),
- (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
+ (">" + "<a" * 500 + "a", ">"),
("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
("<" + "a" * 1_002, "<" + "a" * 1_002),
)