@@ -1,4 +1,4 @@
-From 072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 Mon Sep 17 00:00:00 2001
+From 44257057cb92c55ee3c9f66de76120c523aacbc3 Mon Sep 17 00:00:00 2001
From: Shai Berger <shai@platonix.com>
Date: Mon, 19 Feb 2024 13:56:37 +0100
Subject: [PATCH] Fixed CVE-2024-27351 -- Prevented potential ReDoS in
@@ -14,16 +14,14 @@ https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521
Signed-off-by: Shai Berger <shai@platonix.com>
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
-
-%% original patch: CVE-2024-27351.patch
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
django/utils/text.py | 57 ++++++++++++++++++++++++++++++++--
- docs/releases/2.2.28.txt | 9 ++++++
tests/utils_tests/test_text.py | 26 ++++++++++++++++
- 3 files changed, 90 insertions(+), 2 deletions(-)
+ 2 files changed, 81 insertions(+), 2 deletions(-)
diff --git a/django/utils/text.py b/django/utils/text.py
-index 06a377b..2c4040e 100644
+index 06a377b894a2..02dd0891686b 100644
--- a/django/utils/text.py
+++ b/django/utils/text.py
@@ -15,8 +15,61 @@ def capfirst(x):
@@ -43,8 +41,8 @@ index 06a377b..2c4040e 100644
+# text with only open brackets "<<<...". The class below provides the services
+# and correct answers for the use cases, but in these edge cases does it much
+# faster.
-+re_notag = _lazy_re_compile(r"([^<>\s]+)", re.S)
-+re_prt = _lazy_re_compile(r"<|([^<>\s]+)", re.S)
++re_notag = re.compile(r"([^<>\s]+)", re.S)
++re_prt = re.compile(r"<|([^<>\s]+)", re.S)
+
+
+class WordsRegex:
@@ -90,25 +88,8 @@ index 06a377b..2c4040e 100644
re_chars = re.compile(r'<[^>]+?>|(.)', re.S)
re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S)
re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines
-diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
-index c653cb6..7227452 100644
---- a/docs/releases/2.2.28.txt
-+++ b/docs/releases/2.2.28.txt
-@@ -90,3 +90,12 @@ large number of Unicode characters.
- In order to avoid the vulnerability, invalid values longer than
- ``UsernameField.max_length`` are no longer normalized, since they cannot pass
- validation anyway.
-+
-+CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
-+=========================================================================================================
-+
-+``django.utils.text.Truncator.words()`` method (with ``html=True``) and
-+:tfilter:`truncatewords_html` template filter were subject to a potential
-+regular expression denial-of-service attack using a suitably crafted string
-+(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
-+
diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
-index cb3063d..7e9f2b3 100644
+index cb3063d460e0..7e9f2b3e96d5 100644
--- a/tests/utils_tests/test_text.py
+++ b/tests/utils_tests/test_text.py
@@ -156,6 +156,32 @@ class TestUtilsText(SimpleTestCase):
@@ -145,5 +126,5 @@ index cb3063d..7e9f2b3 100644
def test_truncate_words_html_size_limit(self):
max_len = text.Truncator.MAX_LENGTH_HTML
--
-2.40.0
+2.34.1
@@ -1,4 +1,4 @@
-From 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Mon Sep 17 00:00:00 2001
+From 7d7126caae786521290383d618dea49727d871f9 Mon Sep 17 00:00:00 2001
From: Michael Manfre <mike@manfre.net>
Date: Fri, 14 Jun 2024 22:12:58 -0400
Subject: [PATCH] Fixed CVE-2024-39329 -- Standarized timing of
@@ -15,14 +15,14 @@ https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
Signed-off-by: Michael Manfre <mike@manfre.net>
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
django/contrib/auth/hashers.py | 10 ++++++++--
- docs/releases/2.2.28.txt | 7 +++++++
tests/auth_tests/test_hashers.py | 32 ++++++++++++++++++++++++++++++++
- 3 files changed, 47 insertions(+), 2 deletions(-)
+ 2 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
-index 1e8d754..4acb81d 100644
+index 1e8d7547fc35..4acb81d3d0de 100644
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@@ -36,14 +36,20 @@ def check_password(password, encoded, setter=None, preferred='default'):
@@ -48,23 +48,8 @@ index 1e8d754..4acb81d 100644
return False
hasher_changed = hasher.algorithm != preferred.algorithm
-diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
-index f3fb298..22fa80e 100644
---- a/docs/releases/2.2.28.txt
-+++ b/docs/releases/2.2.28.txt
-@@ -124,3 +124,10 @@ CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
- using a suitably crafted dictionary, with dictionary expansion, as the
- ``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
-
-+CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
-+================================================================================================
-+
-+The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
-+allowed remote attackers to enumerate users via a timing attack involving login
-+requests for users with unusable passwords.
-+
diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
-index ee6441b..391b3cc 100644
+index ee6441b237f6..391b3cc9b41b 100644
--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
@@ -433,6 +433,38 @@ class TestUtilsHashPass(SimpleTestCase):
@@ -107,5 +92,5 @@ index ee6441b..391b3cc 100644
class BasePasswordHasherTests(SimpleTestCase):
not_implemented_msg = 'subclasses of BasePasswordHasher must provide %s() method'
--
-2.40.0
+2.34.1
@@ -1,8 +1,8 @@
-From 2b00edc0151a660d1eb86da4059904a0fc4e095e Mon Sep 17 00:00:00 2001
+From 44f8933ad6a969a6b509c31a7e46a2813d049d8f Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Wed, 20 Mar 2024 13:55:21 -0300
-Subject: [PATCH] Fixed CVE-2024-39330 -- Added extra file name validation in
- Storage's save method.
+Subject: [PATCH] Fixed CVE-2024-39330 -- Added extra file name validation
+ in Storage's save method.
Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah
Boyce for the reviews.
@@ -13,17 +13,17 @@ Upstream-Status: Backport
https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
django/core/files/storage.py | 11 ++++++
django/core/files/utils.py | 7 ++--
- docs/releases/2.2.28.txt | 12 ++++++
tests/file_storage/test_base.py | 70 +++++++++++++++++++++++++++++++++
tests/file_storage/tests.py | 6 ---
- 5 files changed, 96 insertions(+), 10 deletions(-)
+ 4 files changed, 84 insertions(+), 10 deletions(-)
create mode 100644 tests/file_storage/test_base.py
diff --git a/django/core/files/storage.py b/django/core/files/storage.py
-index ea5bbc8..8c633ec 100644
+index ea5bbc82d0e2..8c633ec040ed 100644
--- a/django/core/files/storage.py
+++ b/django/core/files/storage.py
@@ -50,7 +50,18 @@ class Storage:
@@ -46,7 +46,7 @@ index ea5bbc8..8c633ec 100644
# Ensure that the name returned from the storage system is still valid.
validate_file_name(name, allow_relative_path=True)
diff --git a/django/core/files/utils.py b/django/core/files/utils.py
-index f28cea1..a1fea44 100644
+index f28cea107758..a1fea44ded67 100644
--- a/django/core/files/utils.py
+++ b/django/core/files/utils.py
@@ -10,10 +10,9 @@ def validate_file_name(name, allow_relative_path=False):
@@ -63,29 +63,9 @@ index f28cea1..a1fea44 100644
if path.is_absolute() or '..' in path.parts:
raise SuspiciousFileOperation(
"Detected path traversal attempt in '%s'" % name
-diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
-index 22fa80e..3503f38 100644
---- a/docs/releases/2.2.28.txt
-+++ b/docs/releases/2.2.28.txt
-@@ -131,3 +131,15 @@ The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
- allowed remote attackers to enumerate users via a timing attack involving login
- requests for users with unusable passwords.
-
-+CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
-+====================================================================
-+
-+Derived classes of the :class:`~django.core.files.storage.Storage` base class
-+which override :meth:`generate_filename()
-+<django.core.files.storage.Storage.generate_filename()>` without replicating
-+the file path validations existing in the parent class, allowed for potential
-+directory-traversal via certain inputs when calling :meth:`save()
-+<django.core.files.storage.Storage.save()>`.
-+
-+Built-in ``Storage`` sub-classes were not affected by this vulnerability.
-+
diff --git a/tests/file_storage/test_base.py b/tests/file_storage/test_base.py
new file mode 100644
-index 0000000..c5338b8
+index 000000000000..c5338b8e668f
--- /dev/null
+++ b/tests/file_storage/test_base.py
@@ -0,0 +1,70 @@
@@ -160,7 +140,7 @@ index 0000000..c5338b8
+ ):
+ s.save("valid-file-name.txt", content="irrelevant")
diff --git a/tests/file_storage/tests.py b/tests/file_storage/tests.py
-index 4c6f692..0e69264 100644
+index 4c6f6920ed2d..0e692644b7fd 100644
--- a/tests/file_storage/tests.py
+++ b/tests/file_storage/tests.py
@@ -291,12 +291,6 @@ class FileStorageTests(SimpleTestCase):
@@ -177,5 +157,5 @@ index 4c6f692..0e69264 100644
with TemporaryUploadedFile('test', 'text/plain', 1, 'utf8') as file:
file.write(b'1')
--
-2.48.1
+2.34.1
@@ -1,4 +1,4 @@
-From ad866a1ca3e7d60da888d25d27e46a8adb2ed36e Mon Sep 17 00:00:00 2001
+From bd4fcf0ed96b5a74a4143ab4d9e9391f6bf7122c Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Mon, 6 Jan 2025 15:51:45 -0300
Subject: [PATCH] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6
@@ -15,20 +15,18 @@ https://github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36e
Signed-off-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
-
-%% original patch: CVE-2024-56374.patch
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
django/db/models/fields/__init__.py | 6 +--
django/forms/fields.py | 7 +++-
django/utils/ipv6.py | 22 ++++++++--
docs/ref/forms/fields.txt | 13 +++++-
- docs/releases/2.2.28.txt | 12 ++++++
.../field_tests/test_genericipaddressfield.py | 35 +++++++++++++++-
tests/utils_tests/test_ipv6.py | 40 +++++++++++++++++--
- 7 files changed, 120 insertions(+), 15 deletions(-)
+ 6 files changed, 108 insertions(+), 15 deletions(-)
diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py
-index e2d1846..c77702f 100644
+index e2d1846ad625..c77702fdacae 100644
--- a/django/db/models/fields/__init__.py
+++ b/django/db/models/fields/__init__.py
@@ -26,7 +26,7 @@ from django.utils.dateparse import (
@@ -59,7 +57,7 @@ index e2d1846..c77702f 100644
return name, path, args, kwargs
diff --git a/django/forms/fields.py b/django/forms/fields.py
-index f939338..b3156b9 100644
+index f9393383ed81..b3156b9877dc 100644
--- a/django/forms/fields.py
+++ b/django/forms/fields.py
@@ -29,7 +29,7 @@ from django.forms.widgets import (
@@ -91,7 +89,7 @@ index f939338..b3156b9 100644
diff --git a/django/utils/ipv6.py b/django/utils/ipv6.py
-index ddb8c80..aed7902 100644
+index ddb8c8091d2f..aed7902af919 100644
--- a/django/utils/ipv6.py
+++ b/django/utils/ipv6.py
@@ -3,9 +3,23 @@ import ipaddress
@@ -139,7 +137,7 @@ index ddb8c80..aed7902 100644
return False
return True
diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
-index 3a888ef..688890a 100644
+index 3a888ef6b752..688890a5fba6 100644
--- a/docs/ref/forms/fields.txt
+++ b/docs/ref/forms/fields.txt
@@ -791,7 +791,7 @@ For each field, we describe the default widget used if you don't specify
@@ -176,28 +174,8 @@ index 3a888ef..688890a 100644
``MultipleChoiceField``
-----------------------
-diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
-index 7096d13..0e092f0 100644
---- a/docs/releases/2.2.28.txt
-+++ b/docs/releases/2.2.28.txt
-@@ -105,3 +105,15 @@ CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text
- The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
- potential denial-of-service attack when used with very long strings.
-
-+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
-+============================================================================
-+
-+Lack of upper bound limit enforcement in strings passed when performing IPv6
-+validation could lead to a potential denial-of-service attack. The undocumented
-+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
-+vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
-+which has now been updated to define a ``max_length`` of 39 characters.
-+
-+The :class:`django.db.models.GenericIPAddressField` model field was not
-+affected.
-+
diff --git a/tests/forms_tests/field_tests/test_genericipaddressfield.py b/tests/forms_tests/field_tests/test_genericipaddressfield.py
-index 97a83e3..4c79d78 100644
+index 97a83e38aedd..4c79d7852aa5 100644
--- a/tests/forms_tests/field_tests/test_genericipaddressfield.py
+++ b/tests/forms_tests/field_tests/test_genericipaddressfield.py
@@ -1,5 +1,6 @@
@@ -256,7 +234,7 @@ index 97a83e3..4c79d78 100644
f.clean('12345:2:3:4')
with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"):
diff --git a/tests/utils_tests/test_ipv6.py b/tests/utils_tests/test_ipv6.py
-index 4e434f3..1ac6763 100644
+index 4e434f3c3aa0..1ac6763d9b93 100644
--- a/tests/utils_tests/test_ipv6.py
+++ b/tests/utils_tests/test_ipv6.py
@@ -1,9 +1,17 @@
@@ -311,5 +289,5 @@ index 4e434f3..1ac6763 100644
+ )
+ self.assertIn(value_error_msg % addr, exception_traceback.getvalue())
--
-2.40.0
+2.34.1
@@ -1,8 +1,8 @@
-From e88f7376fe68dbf4ebaf11fad1513ce700b45860 Mon Sep 17 00:00:00 2001
+From e8ff028d15324bd21b6378b539637d5c5eb3c4f1 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Tue, 25 Feb 2025 09:40:54 +0100
-Subject: [PATCH] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap
- template filter.
+Subject: [PATCH] Fixed CVE-2025-26699 -- Mitigated potential DoS in
+ wordwrap template filter.
Thanks sw0rd1ight for the report.
@@ -15,16 +15,14 @@ https://github.com/django/django/commit/e88f7376fe68dbf4ebaf11fad1513ce700b45860
Signed-off-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
-
-%% original patch: CVE-2025-26699.patch
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
django/utils/text.py | 28 ++++++++-----------
- docs/releases/2.2.28.txt | 6 ++++
- .../filter_tests/test_wordwrap.py | 12 ++++++++
- 3 files changed, 29 insertions(+), 17 deletions(-)
+ .../filter_tests/test_wordwrap.py | 11 ++++++++
+ 2 files changed, 22 insertions(+), 17 deletions(-)
diff --git a/django/utils/text.py b/django/utils/text.py
-index 2c4040e..c474d56 100644
+index 02dd0891686b..e104b60c4f6c 100644
--- a/django/utils/text.py
+++ b/django/utils/text.py
@@ -1,5 +1,6 @@
@@ -68,25 +66,11 @@ index 2c4040e..c474d56 100644
class Truncator(SimpleLazyObject):
-diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
-index 7227452..7096d13 100644
---- a/docs/releases/2.2.28.txt
-+++ b/docs/releases/2.2.28.txt
-@@ -99,3 +99,9 @@ CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils
- regular expression denial-of-service attack using a suitably crafted string
- (follow up to :cve:`2019-14232` and :cve:`2023-43665`).
-
-+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()``
-+=========================================================================================
-+
-+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
-+potential denial-of-service attack when used with very long strings.
-+
diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
-index 02f8605..e6f2afb 100644
+index 02f860582ba7..f61842cb19aa 100644
--- a/tests/template_tests/filter_tests/test_wordwrap.py
+++ b/tests/template_tests/filter_tests/test_wordwrap.py
-@@ -51,3 +51,15 @@ class FunctionTests(SimpleTestCase):
+@@ -51,3 +51,14 @@ class FunctionTests(SimpleTestCase):
), 14),
'this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\nI\'m afraid',
)
@@ -101,7 +85,6 @@ index 02f8605..e6f2afb 100644
+ "I'm afraid",
+ wordwrap(long_text, 10),
+ )
-+
--
-2.40.0
+2.34.1
@@ -1,4 +1,4 @@
-From 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Mon Sep 17 00:00:00 2001
+From ceb93eee32c9e9ad7e0fbaed725d6d54b09bf9d0 Mon Sep 17 00:00:00 2001
From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Date: Wed, 30 Apr 2025 10:34:27 -0400
Subject: [PATCH] Fixed CVE-2025-32873 -- Mitigated potential DoS in
@@ -17,14 +17,14 @@ Upstream-Status: Backport
https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
django/utils/html.py | 6 ++++++
- docs/releases/2.2.28.txt | 11 +++++++++++
tests/utils_tests/test_html.py | 15 ++++++++++++++-
- 3 files changed, 31 insertions(+), 1 deletion(-)
+ 2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/django/utils/html.py b/django/utils/html.py
-index 0d5ffd2..858a517 100644
+index 0d5ffd219baf..6eb8bc3dbf38 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -37,6 +37,9 @@ _html_escapes = {
@@ -32,7 +32,7 @@ index 0d5ffd2..858a517 100644
}
+# HTML tag that opens but has no closing ">" after 1k+ chars.
-+long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
++long_open_tag_without_closing_re = re.compile(r"<[a-zA-Z][^>]{1000,}")
+
@keep_lazy(str, SafeText)
@@ -47,27 +47,8 @@ index 0d5ffd2..858a517 100644
# Note: in typical case this loop executes _strip_once twice (the second
# execution does not remove any more tags).
strip_tags_depth = 0
-diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
-index 3503f38..1676bbd 100644
---- a/docs/releases/2.2.28.txt
-+++ b/docs/releases/2.2.28.txt
-@@ -143,3 +143,14 @@ directory-traversal via certain inputs when calling :meth:`save()
-
- Built-in ``Storage`` sub-classes were not affected by this vulnerability.
-
-+CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
-+=================================================================
-+
-+:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
-+containing large sequences of incomplete HTML tags. This function is used to
-+implement the :tfilter:`striptags` template filter, which was thus also
-+vulnerable.
-+
-+:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
-+exception if it encounters an unusually large number of unclosed opening tags.
-+
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
-index 2f412e1..653deb2 100644
+index 2f412e103343..653deb2087e8 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -92,17 +92,30 @@ class TestUtilsHtml(SimpleTestCase):
@@ -103,5 +84,5 @@ index 2f412e1..653deb2 100644
# Test with more lengthy content (also catching performance regressions)
for filename in ('strip_tags1.html', 'strip_tags2.txt'):
--
-2.40.0
+2.34.1
@@ -1,8 +1,8 @@
-From 31334e6965ad136a5e369993b01721499c5d1a92 Mon Sep 17 00:00:00 2001
+From 6fb375254ac11840ec66cd6d1ffdc4dbd57af190 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 13 Aug 2025 14:13:42 +0200
-Subject: [PATCH] Fixed CVE-2025-57833 -- Protected FilteredRelation against
- SQL injection in column aliases.
+Subject: [PATCH] Fixed CVE-2025-57833 -- Protected FilteredRelation
+ against SQL injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report.
@@ -15,16 +15,14 @@ https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
Signed-off-by: Jake Howard <git@theorangeone.net>
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
-
-%% original patch: CVE-2025-57833.patch
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
django/db/models/sql/query.py | 1 +
- docs/releases/2.2.28.txt | 7 +++++++
tests/annotations/tests.py | 18 ++++++++++++++++--
- 3 files changed, 24 insertions(+), 2 deletions(-)
+ 2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
-index 9b054bd..96a6f5f 100644
+index 9b054bd10079..96a6f5fb5c8d 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1369,6 +1369,7 @@ class Query:
@@ -35,23 +33,8 @@ index 9b054bd..96a6f5f 100644
filtered_relation.alias = alias
lookups = dict(get_children_from_q(filtered_relation.condition))
for lookup in chain((filtered_relation.relation_name,), lookups):
-diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
-index 0e092f0..f3fb298 100644
---- a/docs/releases/2.2.28.txt
-+++ b/docs/releases/2.2.28.txt
-@@ -117,3 +117,10 @@ which has now been updated to define a ``max_length`` of 39 characters.
- The :class:`django.db.models.GenericIPAddressField` model field was not
- affected.
-
-+CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
-+==============================================================================
-+
-+:class:`.FilteredRelation` was subject to SQL injection in column aliases,
-+using a suitably crafted dictionary, with dictionary expansion, as the
-+``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
-+
diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
-index 27cd7eb..cdffb07 100644
+index 27cd7ebfb826..cdffb0792009 100644
--- a/tests/annotations/tests.py
+++ b/tests/annotations/tests.py
@@ -3,8 +3,8 @@ from decimal import Decimal
@@ -91,5 +74,5 @@ index 27cd7eb..cdffb07 100644
+ **{crafted_alias: FilteredRelation("authors")}
+ )
--
-2.40.0
+2.34.1