diff --git a/CVE-2025-57833.patch b/CVE-2025-57833.patch new file mode 100644 index 0000000000000000000000000000000000000000..817b7e16895b32950dad8084967c762e905c383a --- /dev/null +++ b/CVE-2025-57833.patch @@ -0,0 +1,84 @@ +From 31334e6965ad136a5e369993b01721499c5d1a92 Mon Sep 17 00:00:00 2001 +From: Jake Howard +Date: Wed, 13 Aug 2025 14:13:42 +0200 +Subject: [PATCH] [4.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation + against SQL injection in column aliases. + +Thanks Eyal Gabay (EyalSec) for the report. + +Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main. + +Origin: https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92 +--- + django/db/models/sql/query.py | 1 + + tests/annotations/tests.py | 24 ++++++++++++++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py +index e68fd9e..5a1b685 100644 +--- a/django/db/models/sql/query.py ++++ b/django/db/models/sql/query.py +@@ -1620,6 +1620,7 @@ class Query(BaseExpression): + return target_clause + + def add_filtered_relation(self, filtered_relation, alias): ++ self.check_alias(alias) + filtered_relation.alias = alias + lookups = dict(get_children_from_q(filtered_relation.condition)) + relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( +diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py +index e0cdbf1..a8474ab 100644 +--- a/tests/annotations/tests.py ++++ b/tests/annotations/tests.py +@@ -12,6 +12,7 @@ from django.db.models import ( + Exists, + ExpressionWrapper, + F, ++ FilteredRelation, + FloatField, + Func, + IntegerField, +@@ -1121,6 +1122,15 @@ class NonAggregateAnnotationTestCase(TestCase): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + ++ def test_alias_filtered_relation_sql_injection(self): ++ crafted_alias = """injected_name" from "annotations_book"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) ++ + def test_alias_forbidden_chars(self): + tests = [ + 'al"ias', +@@ -1146,6 +1156,11 @@ class NonAggregateAnnotationTestCase(TestCase): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.annotate( ++ **{crafted_alias: FilteredRelation("authors")} ++ ) ++ + + class AliasTests(TestCase): + @classmethod +@@ -1418,3 +1433,12 @@ class AliasTests(TestCase): + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: Value(1)}) ++ ++ def test_alias_filtered_relation_sql_injection(self): ++ crafted_alias = """injected_name" from "annotations_book"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) +-- +2.50.1 + diff --git a/python-django.spec b/python-django.spec index 4e6e3247895ae01bcd98a435b9b76c2bce4a475f..6ec18959c26ac4236e4f30e7a7e84895cd61b9d5 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 4.2.15 -Release: 7 +Release: 8 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ @@ -16,6 +16,7 @@ Patch6: CVE-2025-32873.patch Patch7: CVE-2025-48432-pre1.patch Patch8: CVE-2025-48432-pre2.patch Patch9: CVE-2025-48432.patch +Patch10: CVE-2025-57833.patch BuildArch: noarch %description @@ -82,6 +83,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Thu Sep 04 2025 yaoxin <1024769339@qq.com> - 4.2.15-8 +- Fix CVE-2025-57833 + * Thu Jun 05 2025 yaoxin <1024769339@qq.com> - 4.2.15-7 - Fix CVE-2025-48432