From 857be34a2c8459ac116e4b4554e53a384a1880e7 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Thu, 9 Oct 2025 11:14:25 +0800
Subject: [PATCH] Update to 5.2.7 for fix CVE-2025-59681 and CVE-2025-59682

---
 CVE-2025-57833.patch                       | 84 ----------------------
 django-5.2.5.tar.gz => django-5.2.7.tar.gz |  4 +-
 python-django.spec                         |  8 ++-
 3 files changed, 7 insertions(+), 89 deletions(-)
 delete mode 100644 CVE-2025-57833.patch
 rename django-5.2.5.tar.gz => django-5.2.7.tar.gz (32%)

diff --git a/CVE-2025-57833.patch b/CVE-2025-57833.patch
deleted file mode 100644
index bc228fe..0000000
--- a/CVE-2025-57833.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 4c044fcc866ec226f612c475950b690b0139d243 Mon Sep 17 00:00:00 2001
-From: Jake Howard <git@theorangeone.net>
-Date: Wed, 13 Aug 2025 14:13:42 +0200
-Subject: [PATCH] [5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation
- against SQL injection in column aliases.
-
-Thanks Eyal Gabay (EyalSec) for the report.
-
-Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
-
-Origin: https://github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243
----
- django/db/models/sql/query.py |  1 +
- tests/annotations/tests.py    | 24 ++++++++++++++++++++++++
- 2 files changed, 25 insertions(+)
-
-diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
-index 92a09c5..a75d9e8 100644
---- a/django/db/models/sql/query.py
-+++ b/django/db/models/sql/query.py
-@@ -1696,6 +1696,7 @@ class Query(BaseExpression):
-         return target_clause, needed_inner
- 
-     def add_filtered_relation(self, filtered_relation, alias):
-+        self.check_alias(alias)
-         filtered_relation.alias = alias
-         relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type(
-             filtered_relation.relation_name
-diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
-index 6c0d7b6..060d632 100644
---- a/tests/annotations/tests.py
-+++ b/tests/annotations/tests.py
-@@ -14,6 +14,7 @@ from django.db.models import (
-     Exists,
-     ExpressionWrapper,
-     F,
-+    FilteredRelation,
-     FloatField,
-     Func,
-     IntegerField,
-@@ -1164,6 +1165,15 @@ class NonAggregateAnnotationTestCase(TestCase):
-         with self.assertRaisesMessage(ValueError, msg):
-             Book.objects.annotate(**{crafted_alias: Value(1)})
- 
-+    def test_alias_filtered_relation_sql_injection(self):
-+        crafted_alias = """injected_name" from "annotations_book"; --"""
-+        msg = (
-+            "Column aliases cannot contain whitespace characters, quotation marks, "
-+            "semicolons, or SQL comments."
-+        )
-+        with self.assertRaisesMessage(ValueError, msg):
-+            Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
-+
-     def test_alias_forbidden_chars(self):
-         tests = [
-             'al"ias',
-@@ -1189,6 +1199,11 @@ class NonAggregateAnnotationTestCase(TestCase):
-                 with self.assertRaisesMessage(ValueError, msg):
-                     Book.objects.annotate(**{crafted_alias: Value(1)})
- 
-+                with self.assertRaisesMessage(ValueError, msg):
-+                    Book.objects.annotate(
-+                        **{crafted_alias: FilteredRelation("authors")}
-+                    )
-+
-     @skipUnless(connection.vendor == "postgresql", "PostgreSQL tests")
-     @skipUnlessDBFeature("supports_json_field")
-     def test_set_returning_functions(self):
-@@ -1482,3 +1497,12 @@ class AliasTests(TestCase):
-         )
-         with self.assertRaisesMessage(ValueError, msg):
-             Book.objects.alias(**{crafted_alias: Value(1)})
-+
-+    def test_alias_filtered_relation_sql_injection(self):
-+        crafted_alias = """injected_name" from "annotations_book"; --"""
-+        msg = (
-+            "Column aliases cannot contain whitespace characters, quotation marks, "
-+            "semicolons, or SQL comments."
-+        )
-+        with self.assertRaisesMessage(ValueError, msg):
-+            Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
--- 
-2.50.1
-
diff --git a/django-5.2.5.tar.gz b/django-5.2.7.tar.gz
similarity index 32%
rename from django-5.2.5.tar.gz
rename to django-5.2.7.tar.gz
index eb42736..7899bb2 100644
--- a/django-5.2.5.tar.gz
+++ b/django-5.2.7.tar.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0745b25681b129a77aae3d4f6549b62d3913d74407831abaa0d9021a03954bae
-size 10859748
+oid sha256:e0f6f12e2551b1716a95a63a1366ca91bbcd7be059862c1b18f989b1da356cdd
+size 10865812
diff --git a/python-django.spec b/python-django.spec
index 81588f5..8cbc4a6 100644
--- a/python-django.spec
+++ b/python-django.spec
@@ -1,12 +1,11 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
-Version:	5.2.5
-Release:	2
+Version:	5.2.7
+Release:	1
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
 Source0:	https://files.pythonhosted.org/packages/source/d/django/django-%{version}.tar.gz
-Patch0: 	CVE-2025-57833.patch
 
 BuildArch:	noarch
 %description
@@ -75,6 +74,9 @@ mv %{buildroot}/doclist.lst .
 %{_pkgdocdir}/*
 
 %changelog
+* Thu Oct 09 2025 yaoxin <1024769339@qq.com> - 5.2.7-1
+- Update to 5.2.7 for fix CVE-2025-59681 and CVE-2025-59682
+
 * Thu Sep 04 2025 yaoxin <1024769339@qq.com> - 5.2.5-2
 - Fix CVE-2025-57833
 
-- 
Gitee