pool/python-Django
SHA256
11
0
Fork 2
Code Issues Pull Requests Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory pool:leap-16.0 pool:devel
..
compare: pool:leap-16.0
Branches Tags
pool:factory pool:leap-16.0 pool:devel

1 Commits
factory ... leap-16.0

Author SHA256 Message Date
Markéta Calábková
59a6beb077 CVE-2025-57833 2025-09-04 15:16:57 +02:00
9 changed files with 179 additions and 213 deletions
Expand all files Collapse all files

82
CVE-2025-57833.patch Normal file
View File

@@ -0,0 +1,82 @@
From 4c044fcc866ec226f612c475950b690b0139d243 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 13 Aug 2025 14:13:42 +0200
Subject: [PATCH] [5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation
against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report.
Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
---
django/db/models/sql/query.py | 1 +
docs/releases/4.2.24.txt | 7 +++++++
docs/releases/5.1.12.txt | 7 +++++++
docs/releases/5.2.6.txt | 7 +++++++
tests/annotations/tests.py | 24 ++++++++++++++++++++++++
5 files changed, 46 insertions(+)
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 9b44d017ffe3..5247616086aa 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1696,6 +1696,7 @@ def _add_q(
return target_clause, needed_inner
def add_filtered_relation(self, filtered_relation, alias):
+ self.check_alias(alias)
filtered_relation.alias = alias
relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
filtered_relation.relation_name
diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
index 6c0d7b668c33..060d6324c74c 100644
--- a/tests/annotations/tests.py
+++ b/tests/annotations/tests.py
@@ -14,6 +14,7 @@
Exists,
ExpressionWrapper,
F,
+ FilteredRelation,
FloatField,
Func,
IntegerField,
@@ -1164,6 +1165,15 @@ def test_alias_sql_injection(self):
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)})
+ def test_alias_filtered_relation_sql_injection(self):
+ crafted_alias = """injected_name" from "annotations_book"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
+
def test_alias_forbidden_chars(self):
tests = [
'al"ias',
@@ -1189,6 +1199,11 @@ def test_alias_forbidden_chars(self):
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)})
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.annotate(
+ **{crafted_alias: FilteredRelation("authors")}
+ )
+
@skipUnless(connection.vendor == "postgresql", "PostgreSQL tests")
@skipUnlessDBFeature("supports_json_field")
def test_set_returning_functions(self):
@@ -1482,3 +1497,12 @@ def test_alias_sql_injection(self):
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.alias(**{crafted_alias: Value(1)})
+
+ def test_alias_filtered_relation_sql_injection(self):
+ crafted_alias = """injected_name" from "annotations_book"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, quotation marks, "
+ "semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})

68
Django-5.2.4.checksum.txt Normal file
View File

@@ -0,0 +1,68 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This file contains MD5, SHA1, and SHA256 checksums for the
source-code tarball and wheel files of Django 5.2.4, released July 2, 2025.
To use this file, you will need a working install of PGP or other
compatible public-key encryption software. You will also need to have
the Django release manager's public key in your keyring. This key has
the ID ``2EE82A8D9470983E`` and can be imported from the MIT
keyserver, for example, if using the open-source GNU Privacy Guard
implementation of PGP:
gpg --keyserver pgp.mit.edu --recv-key 2EE82A8D9470983E
or via the GitHub API:
curl https://github.com/nessita.gpg | gpg --import -
Once the key is imported, verify this file:
gpg --verify Django-5.2.4.checksum.txt
Once you have verified this file, you can use normal MD5, SHA1, or SHA256
checksumming applications to generate the checksums of the Django
package and compare them to the checksums listed below.
Release packages
================
https://www.djangoproject.com/download/5.2.4/tarball/
https://www.djangoproject.com/download/5.2.4/wheel/
MD5 checksums
=============
6ecc4875e8cdc08706faea1cc4740fdf django-5.2.4.tar.gz
fee657f7686462d388f274c5f92b634a django-5.2.4-py3-none-any.whl
SHA1 checksums
==============
de45d44e1bb2ceb1c08b8fd0846de920874f71a1 django-5.2.4.tar.gz
a6a7904e3749a0e8937a50643293889929b4b6f7 django-5.2.4-py3-none-any.whl
SHA256 checksums
================
a1228c384f8fa13eebc015196db7b3e08722c5058d4758d20cb287503a540d8f django-5.2.4.tar.gz
60c35bd96201b10c6e7a78121bd0da51084733efa303cc19ead021ab179cef5e django-5.2.4-py3-none-any.whl
-----BEGIN PGP SIGNATURE-----
iQJcBAEBCABGFiEEW1sboQ2FrHxcduOPLugqjZRwmD4FAmhlfcIoHDEyNDMwNCtu
ZXNzaXRhQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbQAKCRAu6CqNlHCYPj5DD/94
KOuOZ5JHtZWknqi1JeV1akzB/RpY7lhL9SbJbVXhdAxOY9Cn4eUG7NsPWa9JnhX1
F/2geBE5mjOZen4ARtGHWxa5vqidqUbscrU9AkqPLn6aecEKi2jXXNkYmmWw/37K
wb92BQtuWkaXyiZ4E6Sledx9yFhcqMDFg27CdNYfAqUWofI6zzSmLIzOlOSVR9Sc
uDrfRqQ4GXlRGT5pIkcIxE0ZKToUYrKgn99PZOmBcLfJgQ4VBt62J6SzZAhhElb3
DUMcVhG2XNIhg7v7DwlVodowDYQdRi2H/ahAa7/m1+uugRbysoGSLLwP+50tDjlj
07zxoJsrL5R9zaMp4pcXQN4bUy3rDz94DkjlXO51f8LwDdStvk4VOYan1W5S9BhP
R0conCFfcg4+iK0pV5e/GeeTwBRHQw8p5RuWfrEpKFi/XQtT0u01hqUGppeuZ9wI
f+Ud9RA8Nrw0ouli4WvfH0RVFuMgUFqScwO88oatuUH5CDPjlV+5usNb7FrmZXv6
AWRopONOcYGF07+FYh0nsoE8enWyxE+JWTJzxT5PGZ3buUO0hlnJ+auoJv8yOVii
ELCSUyi93glWonCBrS41XrNO6+6K/8V9V6iv9/PdGwF1GszbX5Rx4e2lDMA7crYh
1qKGaV3+iAO+Y+vXt6VTy6h5GLg9hun+RQ8TU3Guyg==
=d9C5
-----END PGP SIGNATURE-----

66
Django-5.2.6.checksum.txt
View File

@@ -1,66 +0,0 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This file contains MD5, SHA1, and SHA256 checksums for the
source-code tarball and wheel files of Django 5.2.6, released September 3, 2025.
To use this file, you will need a working install of PGP or other
compatible public-key encryption software. You will also need to have
the Django release manager's public key in your keyring. This key has
the ID ``3955B19851EA96EF`` and can be imported from the MIT
keyserver, for example, if using the open-source GNU Privacy Guard
implementation of PGP:
gpg --keyserver pgp.mit.edu --recv-key 3955B19851EA96EF
or via the GitHub API:
curl https://github.com/sarahboyce.gpg | gpg --import -
Once the key is imported, verify this file:
gpg --verify Django-5.2.6.checksum.txt
Once you have verified this file, you can use normal MD5, SHA1, or SHA256
checksumming applications to generate the checksums of the Django
package and compare them to the checksums listed below.
Release packages
================
https://www.djangoproject.com/download/5.2.6/tarball/
https://www.djangoproject.com/download/5.2.6/wheel/
MD5 checksums
=============
1f0327293cc3768903ce8cd390ec3f47 django-5.2.6.tar.gz
fca0005922f8db95eb97108e3d8e0b24 django-5.2.6-py3-none-any.whl
SHA1 checksums
==============
ada4c057790d255039ac5fe3a31378e5fde0417a django-5.2.6.tar.gz
f92e94e9ab2e21f3d681918d67b15e7e54d348f6 django-5.2.6-py3-none-any.whl
SHA256 checksums
================
da5e00372763193d73cecbf71084a3848458cecf4cee36b9a1e8d318d114a87b django-5.2.6.tar.gz
60549579b1174a304b77e24a93d8d9fafe6b6c03ac16311f3e25918ea5a20058 django-5.2.6-py3-none-any.whl
-----BEGIN PGP SIGNATURE-----
iQHhBAEBCABLFiEE6xs4DYrFLQArrNMyOVWxmFHqlu8FAmi4JLQtHDQyMjk2NTY2
K3NhcmFoYm95Y2VAdXNlcnMubm9yZXBseS5naXRodWIuY29tAAoJEDlVsZhR6pbv
rLQL/AmvGY0A1mnf22ZarnqGyH1pRyC7ZrhX2XtoCN6rOjYHleXDqjCIRnbJPnSP
QoKVj6C0xiWsueetEWdrQd2iwgwuAir2dZ0x4TR9ejmVqUUb/R5BakqjZ7g46lsy
GOvU+MlQjzbu1sh0T2G7DC/z019v3+/3lHGpI4HkUFpIb6EOybKW61+MbZZqQMyY
EC/bYEIzfmoJN0Hyi9FoFx0aE/kMpeEYn6wXmEVUfpW7xqXy5AsA2VpU1/nbu0xS
2R+rOljxTSTvqZknDQhr3WbS6D8m/odlcF59pVNzuBwPChz78o6PtwKLitaUy1sp
LOiunKvQYU7Syt4yz+ro+5S+4bcCsIArOe4SKvkMOCi6pFxyXNz0a8PYXpCbg5ER
PQD6RhUbpz2FFMBTeGjPM4JhrIA06A4goX0Q6PHvOLDPg1WlopSKMu5BBGL7fr/O
7jfGeDf5qKIIJ9ZfZS/flS/ebxm8cG9sF7gpbganJC0TnOWmKLdPYQzLia4zFx3f
pj+RwA==
=g/HH
-----END PGP SIGNATURE-----

3
django-5.2.4.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a1228c384f8fa13eebc015196db7b3e08722c5058d4758d20cb287503a540d8f
size 10831909

3
django-5.2.6.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:da5e00372763193d73cecbf71084a3848458cecf4cee36b9a1e8d318d114a87b
size 10858861

36
python-Django.changes
View File

@@ -1,39 +1,7 @@
-------------------------------------------------------------------
Thu Sep 4 10:02:00 UTC 2025 - Markéta Machová <mmachova@suse.com>
Thu Sep 4 13:14:40 UTC 2025 - Markéta Machová <mmachova@suse.com>
- Update to 5.2.6 (bsc#1248810)
* CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases
* Fixed a bug where using QuerySet.values() or values_list() with a ForeignObject
composed of multiple fields returned incorrect results instead of tuples of
the referenced fields
- Rebased test_strip_tags.patch
-------------------------------------------------------------------
Tue Aug 12 10:52:26 UTC 2025 - Markéta Machová <mmachova@suse.com>
- Update to 5.2.5
* Fixed a regression in Django 5.2.1 that prevented the usage of UNNEST
PostgreSQL strategy of QuerySet.bulk_create() with foreign keys
* Fixed a crash in Django 5.2 when filtering against a composite primary key
using a tuple containing expressions
* Fixed a crash in Django 5.2 when validating a model that uses
GeneratedField or constraints composed of Q and Case lookups
* Added compatibility for docutils 0.22
* Fixed a crash in Django 5.2 when using a ManyToManyField on a model with
a composite primary key, by extending the fields.E347 system check
- Convert to libalternatives on SLE-16-based and newer systems
-------------------------------------------------------------------
Fri Aug 1 02:09:01 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
- Reinstate Requires on tzdata, a lot of packages use it.
-------------------------------------------------------------------
Wed Jul 30 06:03:44 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
- Add patch support-msgfmt-0.25.patch:
* Support msgfmt 0.25 error messages changes. (bsc#1246966)
- Remove unneeded Requires on tzdata.
- Add security patch CVE-2025-57833.patch (bsc#1248810)
-------------------------------------------------------------------
Sat Jul 19 06:51:37 UTC 2025 - Markéta Machová <mmachova@suse.com>

26
python-Django.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package python-Django
#
# Copyright (c) 2025 SUSE LLC and contributors
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,13 +20,8 @@
%bcond_with selenium
%bcond_with memcached
%{?sle15_python_module_pythons}
%if 0%{?suse_version} > 1500
%bcond_without libalternatives
%else
%bcond_with libalternatives
%endif
Name: python-Django
Version: 5.2.6
Version: 5.2.4
Release: 0
Summary: A high-level Python Web framework
License: BSD-3-Clause
@@ -36,10 +31,9 @@ Source1: https://www.djangoproject.com/m/pgp/Django-%{version}.checksum.t
Source2: %{name}.keyring
Source99: python-Django-rpmlintrc
# PATCH-FIX-UPSTREAM https://github.com/django/django/pull/19639 Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior.
# fixed and refined upstream, but some of our interpreters weren't updated to a new version yet and still only carry the patch, so providing the non-conditional version
Patch0: test_strip_tags.patch
# PATCH-FIX-UPSTREAM https://github.com/django/django/pull/19530 Fixed #36421 -- Made test_msgfmt_error_including_non_ascii compatible with with msgfmt 0.25.
Patch1: support-msgfmt-0.25.patch
# PATCH-FIX-UPSTREAM CVE-2025-57833.patch bsc#1248810
Patch1: CVE-2025-57833.patch
BuildRequires: %{python_module Jinja2 >= 2.9.2}
BuildRequires: %{python_module Pillow >= 6.2.0}
BuildRequires: %{python_module PyYAML}
@@ -64,6 +58,8 @@ Requires: python
Requires: python-asgiref >= 3.7.0
Requires: python-sqlparse >= 0.3.1
Requires: python-tzdata
Requires(post): update-alternatives
Requires(postun): update-alternatives
Recommends: python-Jinja2 >= 2.9.2
Recommends: python-Pillow >= 6.2.0
Recommends: python-PyYAML
@@ -77,13 +73,6 @@ Obsoletes: python-django < %{version}
Provides: python-South = %{version}
Obsoletes: python-South < %{version}
BuildArch: noarch
%if %{with libalternatives}
BuildRequires: alts
Requires: alts
%else
Requires(post): update-alternatives
Requires(postun): update-alternatives
%endif
%if %{with memcached}
BuildRequires: %{python_module pylibmc}
BuildRequires: %{python_module pymemcache}
@@ -144,9 +133,6 @@ export PATH=%{_libdir}/chromium:$PATH
%python_expand PYTHONPATH=.:%{buildroot}%{$python_sitelib} $python tests/runtests.py -v 2
%endif
%pre
%python_libalternatives_reset_alternative django-admin
%post
%{python_install_alternative django-admin}

69
support-msgfmt-0.25.patch
View File

@@ -1,69 +0,0 @@
From 3609c463a4cfc5a7e76f4d4ba008c5096b1f1437 Mon Sep 17 00:00:00 2001
From: Jericho Serrano <118679068+jericho1050@users.noreply.github.com>
Date: Fri, 6 Jun 2025 04:58:29 +0800
Subject: [PATCH] Fixed #36421 -- Made test_msgfmt_error_including_non_ascii
compatible with msgfmt 0.25.
---
tests/i18n/test_compilation.py | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/tests/i18n/test_compilation.py b/tests/i18n/test_compilation.py
index 4b0bb9f6bb1..3a57dbf0765 100644
--- a/tests/i18n/test_compilation.py
+++ b/tests/i18n/test_compilation.py
@@ -1,5 +1,6 @@
import gettext as gettext_module
import os
+import re
import stat
import unittest
from io import StringIO
@@ -8,10 +9,12 @@
from unittest import mock
from django.core.management import CommandError, call_command, execute_from_command_line
-from django.core.management.utils import find_command
+from django.core.management.utils import find_command, popen_wrapper
from django.test import SimpleTestCase, override_settings
from django.test.utils import captured_stderr, captured_stdout
from django.utils import translation
+from django.utils.encoding import DEFAULT_LOCALE_ENCODING
+from django.utils.functional import cached_property
from django.utils.translation import gettext
from .utils import RunInTmpDirMixin, copytree
@@ -254,6 +257,17 @@ def test_no_dirs_accidentally_skipped(self):
class CompilationErrorHandling(MessageCompilationTests):
+ @cached_property
+ def msgfmt_version(self):
+ # Note that msgfmt is installed via GNU gettext tools, hence the msgfmt
+ # version should align to gettext.
+ out, err, status = popen_wrapper(
+ ["msgfmt", "--version"],
+ stdout_encoding=DEFAULT_LOCALE_ENCODING,
+ )
+ m = re.search(r"(\d+)\.(\d+)\.?(\d+)?", out)
+ return tuple(int(d) for d in m.groups() if d is not None)
+
def test_error_reported_by_msgfmt(self):
# po file contains wrong po formatting.
with self.assertRaises(CommandError):
@@ -278,7 +292,14 @@ def test_msgfmt_error_including_non_ascii(self):
call_command(
"compilemessages", locale=["ko"], stdout=StringIO(), stderr=stderr
)
- self.assertIn("' cannot start a field name", stderr.getvalue())
+ if self.msgfmt_version < (0, 25):
+ error_msg = "' cannot start a field name"
+ else:
+ error_msg = (
+ "a field name starts with a character that is not alphanumerical "
+ "or underscore"
+ )
+ self.assertIn(error_msg, stderr.getvalue())
class ProjectAndAppTests(MessageCompilationTests):

39
test_strip_tags.patch
View File

@@ -10,11 +10,11 @@ Subject: [PATCH] Fixed #36499 -- Adjusted
tests/utils_tests/test_html.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
Index: django-5.2.6/tests/test_utils/tests.py
===================================================================
--- django-5.2.6.orig/tests/test_utils/tests.py
+++ django-5.2.6/tests/test_utils/tests.py
@@ -945,10 +945,10 @@ class HTMLEqualTests(SimpleTestCase):
diff --git a/tests/test_utils/tests.py b/tests/test_utils/tests.py
index 494a0ea8d384..0de19eae9072 100644
--- a/tests/test_utils/tests.py
+++ b/tests/test_utils/tests.py
@@ -959,10 +959,10 @@ def test_parsing_errors(self):
self.assertHTMLEqual("", "<p>")
error_msg = (
"First argument is not valid HTML:\n"
@@ -22,28 +22,25 @@ Index: django-5.2.6/tests/test_utils/tests.py
+ "('Unexpected end tag `div` (Line 1, Column 0)', (1, 0))"
)
with self.assertRaisesMessage(AssertionError, error_msg):
- self.assertHTMLEqual("< div></div>", "<div></div>")
- self.assertHTMLEqual("< div></ div>", "<div></div>")
+ self.assertHTMLEqual("</div>", "<div></div>")
with self.assertRaises(HTMLParseError):
parse_html("</p>")
Index: django-5.2.6/tests/utils_tests/test_html.py
===================================================================
--- django-5.2.6.orig/tests/utils_tests/test_html.py
+++ django-5.2.6/tests/utils_tests/test_html.py
@@ -162,13 +162,13 @@ class TestUtilsHtml(SimpleTestCase):
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 4ce552e79a0d..205eaeca1668 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -142,10 +142,10 @@ def test_strip_tags(self):
("&gotcha&#;<>", "&gotcha&#;<>"),
("<sc<!-- -->ript>test<<!-- -->/script>", "ript>test"),
("<script>alert()</script>&h", "alert()h"),
(
"><!" + ("&" * 16000) + "D",
- ">" if htmlparser_fixed else "><!" + ("&" * 16000) + "D",
+ ">",
),
- ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
+ ("><!" + ("&" * 16000) + "D", ">"),
("X<<<<br>br>br>br>X", "XX"),
("<" * 50 + "a>" * 50, ""),
(
">" + "<a" * 500 + "a",
- ">" if htmlparser_fixed else ">" + "<a" * 500 + "a",
+ ">",
),
- (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
+ (">" + "<a" * 500 + "a", ">"),
("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
("<" + "a" * 1_002, "<" + "a" * 1_002),
)