--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
User: [email protected]
Usertags: pu
Dear stable release managers,
Re. https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/300,
please consider python-django (3:4.2.27-1+deb13u1) for trixie:
python-django (3:4.2.27-1+deb13u1) trixie; urgency=high
.
* New upstream security release:
.
- CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
column aliases when using PostgreSQL. FilteredRelation was subject to
SQL
injection in column aliases via a suitably crafted dictionary as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias().
.
- CVE-2025-57833: Potential SQL injection in FilteredRelation column
aliases. The FilteredRelation feature in Django was subject to a
potential SQL injection vulnerability in column aliases that was
exploitable via suitably crafted dictionary with dictionary expansion as
the **kwargs passed QuerySet.annotate() or QuerySet.alias(). This CVE
was fixed in Django 4.2.24. (Closes: #1113865)
.
- CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
subject to SQL injection in column aliases, using a suitably crafted
dictionary with dictionary expansion as the **kwargs passed to these
methods on MySQL and MariaDB. This CVE was fixed in Django 4.2.25.
.
- CVE-2025-59682: Potential partial directory-traversal via
archive.extract(). The django.utils.archive.extract() function, used by
startapp --template and startproject --template allowed partial
directory-traversal via an archive with file paths sharing a common
prefix with the target directory. This CVE was fixed in Django 4.2.25.
.
- CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
argument in QuerySet/Q objects. The methods QuerySet.filter(),
QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
SQL injection when using a suitably crafted dictionary (with dictionary
expansion) as the _connector argument. This CVE was fixed in Django
4.2.26.
.
- CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
XML serializer text extraction. An algorithmic complexity issue in
django.core.serializers.xml_serializer.getInnerText() allowed a remote
attacker to cause a potential denial-of-service triggering CPU and
memory
exhaustion via a specially crafted XML input submitted to a service that
invokes XML Deserializer. The vulnerability resulted from repeated
string
concatenation while recursively collecting text nodes, which produced
superlinear computation. (Closes: #1121788)
.
<https://docs.djangoproject.com/en/4.2/releases/4.2.27/>
The relevant Debusine job is as follows:
https://debusine.debian.net/debian/developers/work-request/357875/
There are three failures of autopkgtests in reverse-dependencies, which I
have investigated as follows:
* src:debusine — appears to be some unshare(1)/namespace issue.
* src:django-ldapdb — "Depends: python3-volatildap but it is not installable"
* src:pyinstaller — Socket/internet issue
"tests/functional/test_scipy.py::test_scipy[onedir-scipy.spatial] Error:
websocket: close 1006 (abnormal closure): unexpected EOF"
The full diff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
diff --git debian/changelog debian/changelog
index 8120d436f..a4c0b0d99 100644
--- debian/changelog
+++ debian/changelog
@@ -1,3 +1,52 @@
+python-django (3:4.2.27-1+deb13u1) trixie; urgency=high
+
+ * New upstream security release:
+
+ - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation
+ column aliases when using PostgreSQL. FilteredRelation was subject to SQL
+ injection in column aliases via a suitably crafted dictionary as the
+ **kwargs passed to QuerySet.annotate() or QuerySet.alias().
+
+ - CVE-2025-57833: Potential SQL injection in FilteredRelation column
+ aliases. The FilteredRelation feature in Django was subject to a
+ potential SQL injection vulnerability in column aliases that was
+ exploitable via suitably crafted dictionary with dictionary expansion as
+ the **kwargs passed QuerySet.annotate() or QuerySet.alias(). This CVE
+ was fixed in Django 4.2.24. (Closes: #1113865)
+
+ - CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(),
+ aggregate() and extra() on MySQL and MariaDB. QuerySet.annotate(),
+ QuerySet.alias(), QuerySet.aggregate() and QuerySet.extra() methods were
+ subject to SQL injection in column aliases, using a suitably crafted
+ dictionary with dictionary expansion as the **kwargs passed to these
+ methods on MySQL and MariaDB. This CVE was fixed in Django 4.2.25.
+
+ - CVE-2025-59682: Potential partial directory-traversal via
+ archive.extract(). The django.utils.archive.extract() function, used by
+ startapp --template and startproject --template allowed partial
+ directory-traversal via an archive with file paths sharing a common
+ prefix with the target directory. This CVE was fixed in Django 4.2.25.
+
+ - CVE-2025-64459: Prevent a potential SQL injection via _connector keyword
+ argument in QuerySet/Q objects. The methods QuerySet.filter(),
+ QuerySet.exclude(), and QuerySet.get() and the class Q() were subject to
+ SQL injection when using a suitably crafted dictionary (with dictionary
+ expansion) as the _connector argument. This CVE was fixed in Django
+ 4.2.26.
+
+ - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in
+ XML serializer text extraction. An algorithmic complexity issue in
+ django.core.serializers.xml_serializer.getInnerText() allowed a remote
+ attacker to cause a potential denial-of-service triggering CPU and memory
+ exhaustion via a specially crafted XML input submitted to a service that
+ invokes XML Deserializer. The vulnerability resulted from repeated string
+ concatenation while recursively collecting text nodes, which produced
+ superlinear computation. (Closes: #1121788)
+
+ <https://docs.djangoproject.com/en/4.2/releases/4.2.27/>
+
+ -- Chris Lamb <[email protected]> Fri, 23 Jan 2026 10:43:29 -0800
+
python-django (3:4.2.23-1) unstable; urgency=high
* New upstream bugfix release. Quoting upstream:
diff --git Django.egg-info/PKG-INFO Django.egg-info/PKG-INFO
index 5c98d60ee..fe5c1526a 100644
--- Django.egg-info/PKG-INFO
+++ Django.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: Django
-Version: 4.2.23
+Version: 4.2.27
Summary: A high-level Python web framework that encourages rapid development
and clean, pragmatic design.
Author-email: Django Software Foundation <[email protected]>
License: BSD-3-Clause
diff --git Django.egg-info/SOURCES.txt Django.egg-info/SOURCES.txt
index ca8895c96..c03bfd953 100644
--- Django.egg-info/SOURCES.txt
+++ Django.egg-info/SOURCES.txt
@@ -3315,6 +3315,7 @@ django/db/backends/oracle/validation.py
django/db/backends/postgresql/__init__.py
django/db/backends/postgresql/base.py
django/db/backends/postgresql/client.py
+django/db/backends/postgresql/compiler.py
django/db/backends/postgresql/creation.py
django/db/backends/postgresql/features.py
django/db/backends/postgresql/introspection.py
@@ -4206,6 +4207,10 @@ docs/releases/4.2.20.txt
docs/releases/4.2.21.txt
docs/releases/4.2.22.txt
docs/releases/4.2.23.txt
+docs/releases/4.2.24.txt
+docs/releases/4.2.25.txt
+docs/releases/4.2.26.txt
+docs/releases/4.2.27.txt
docs/releases/4.2.3.txt
docs/releases/4.2.4.txt
docs/releases/4.2.5.txt
@@ -4299,7 +4304,6 @@ js_tests/admin/inlines.test.js
js_tests/admin/jsi18n-mocks.test.js
js_tests/admin/navigation.test.js
js_tests/gis/mapwidget.test.js
-scripts/manage_translations.py
tests/.coveragerc
tests/README.rst
tests/runtests.py
diff --git MANIFEST.in MANIFEST.in
index cba764b41..0492e7cbc 100644
--- MANIFEST.in
+++ MANIFEST.in
@@ -10,6 +10,6 @@ graft django
graft docs
graft extras
graft js_tests
-graft scripts
graft tests
global-exclude *.py[co]
+prune scripts
diff --git PKG-INFO PKG-INFO
index 5c98d60ee..fe5c1526a 100644
--- PKG-INFO
+++ PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: Django
-Version: 4.2.23
+Version: 4.2.27
Summary: A high-level Python web framework that encourages rapid development
and clean, pragmatic design.
Author-email: Django Software Foundation <[email protected]>
License: BSD-3-Clause
diff --git django/__init__.py django/__init__.py
index 49e1e4201..06680666d 100644
--- django/__init__.py
+++ django/__init__.py
@@ -1,6 +1,6 @@
from django.utils.version import get_version
-VERSION = (4, 2, 23, "final", 0)
+VERSION = (4, 2, 27, "final", 0)
__version__ = get_version(VERSION)
diff --git django/core/serializers/xml_serializer.py
django/core/serializers/xml_serializer.py
index 3f9955aa2..5db8c067c 100644
--- django/core/serializers/xml_serializer.py
+++ django/core/serializers/xml_serializer.py
@@ -2,7 +2,8 @@
XML serializer.
"""
import json
-from xml.dom import pulldom
+from contextlib import contextmanager
+from xml.dom import minidom, pulldom
from xml.sax import handler
from xml.sax.expatreader import ExpatParser as _ExpatParser
@@ -14,6 +15,25 @@ from django.db import DEFAULT_DB_ALIAS, models
from django.utils.xmlutils import SimplerXMLGenerator,
UnserializableContentError
+@contextmanager
+def fast_cache_clearing():
+ """Workaround for performance issues in minidom document checks.
+
+ Speeds up repeated DOM operations by skipping unnecessary full traversal
+ of the DOM tree.
+ """
+ module_helper_was_lambda = False
+ if original_fn := getattr(minidom, "_in_document", None):
+ module_helper_was_lambda = original_fn.__name__ == "<lambda>"
+ if not module_helper_was_lambda:
+ minidom._in_document = lambda node: bool(node.ownerDocument)
+ try:
+ yield
+ finally:
+ if original_fn and not module_helper_was_lambda:
+ minidom._in_document = original_fn
+
+
class Serializer(base.Serializer):
"""Serialize a QuerySet to XML."""
@@ -208,7 +228,8 @@ class Deserializer(base.Deserializer):
def __next__(self):
for event, node in self.event_stream:
if event == "START_ELEMENT" and node.nodeName == "object":
- self.event_stream.expandNode(node)
+ with fast_cache_clearing():
+ self.event_stream.expandNode(node)
return self._handle_object(node)
raise StopIteration
@@ -392,19 +413,25 @@ class Deserializer(base.Deserializer):
def getInnerText(node):
"""Get all the inner text of a DOM node (recursively)."""
+ inner_text_list = getInnerTextList(node)
+ return "".join(inner_text_list)
+
+
+def getInnerTextList(node):
+ """Return a list of the inner texts of a DOM node (recursively)."""
# inspired by
https://mail.python.org/pipermail/xml-sig/2005-March/011022.html
- inner_text = []
+ result = []
for child in node.childNodes:
if (
child.nodeType == child.TEXT_NODE
or child.nodeType == child.CDATA_SECTION_NODE
):
- inner_text.append(child.data)
+ result.append(child.data)
elif child.nodeType == child.ELEMENT_NODE:
- inner_text.extend(getInnerText(child))
+ result.extend(getInnerTextList(child))
else:
pass
- return "".join(inner_text)
+ return result
# Below code based on Christian Heimes' defusedxml
diff --git django/db/backends/postgresql/compiler.py
django/db/backends/postgresql/compiler.py
new file mode 100644
index 000000000..d4140c7f9
--- /dev/null
+++ django/db/backends/postgresql/compiler.py
@@ -0,0 +1,24 @@
+from django.db.models.sql.compiler import ( # isort:skip
+ SQLAggregateCompiler,
+ SQLCompiler as BaseSQLCompiler,
+ SQLDeleteCompiler,
+ SQLInsertCompiler,
+ SQLUpdateCompiler,
+)
+
+__all__ = [
+ "SQLAggregateCompiler",
+ "SQLCompiler",
+ "SQLDeleteCompiler",
+ "SQLInsertCompiler",
+ "SQLUpdateCompiler",
+]
+
+
+class SQLCompiler(BaseSQLCompiler):
+ def quote_name_unless_alias(self, name):
+ if "$" in name:
+ raise ValueError(
+ "Dollar signs are not permitted in column aliases on
PostgreSQL."
+ )
+ return super().quote_name_unless_alias(name)
diff --git django/db/backends/postgresql/operations.py
django/db/backends/postgresql/operations.py
index c4d90b56a..24ad90e5f 100644
--- django/db/backends/postgresql/operations.py
+++ django/db/backends/postgresql/operations.py
@@ -23,6 +23,7 @@ def get_json_dumps(encoder):
class DatabaseOperations(BaseDatabaseOperations):
+ compiler_module = "django.db.backends.postgresql.compiler"
cast_char_field_without_max_length = "varchar"
explain_prefix = "EXPLAIN"
explain_options = frozenset(
diff --git django/db/models/query.py django/db/models/query.py
index 19c9ced23..31718a3a3 100644
--- django/db/models/query.py
+++ django/db/models/query.py
@@ -42,6 +42,8 @@ MAX_GET_RESULTS = 21
# The maximum number of items to display in a QuerySet.__repr__
REPR_OUTPUT_SIZE = 20
+PROHIBITED_FILTER_KWARGS = frozenset(["_connector", "_negated"])
+
class BaseIterable:
def __init__(
@@ -1455,6 +1457,9 @@ class QuerySet(AltersData):
return clone
def _filter_or_exclude_inplace(self, negate, args, kwargs):
+ if invalid_kwargs := PROHIBITED_FILTER_KWARGS.intersection(kwargs):
+ invalid_kwargs_str = ", ".join(f"'{k}'" for k in
sorted(invalid_kwargs))
+ raise TypeError(f"The following kwargs are invalid:
{invalid_kwargs_str}")
if negate:
self._query.add_q(~Q(*args, **kwargs))
else:
diff --git django/db/models/query_utils.py django/db/models/query_utils.py
index 5c5644cfb..a85a682e5 100644
--- django/db/models/query_utils.py
+++ django/db/models/query_utils.py
@@ -44,8 +44,12 @@ class Q(tree.Node):
XOR = "XOR"
default = AND
conditional = True
+ connectors = (None, AND, OR, XOR)
def __init__(self, *args, _connector=None, _negated=False, **kwargs):
+ if _connector not in self.connectors:
+ connector_reprs = ", ".join(f"{conn!r}" for conn in
self.connectors[1:])
+ raise ValueError(f"_connector must be one of {connector_reprs}, or
None.")
super().__init__(
children=[*args, *sorted(kwargs.items())],
connector=_connector,
diff --git django/db/models/sql/query.py django/db/models/sql/query.py
index e68fd9efb..3b8071eab 100644
--- django/db/models/sql/query.py
+++ django/db/models/sql/query.py
@@ -46,9 +46,9 @@ from django.utils.tree import Node
__all__ = ["Query", "RawQuery"]
-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
+# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline
# SQL comments are forbidden in column aliases.
-FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
+FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/")
# Inspired from
#
https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
@@ -1123,8 +1123,8 @@ class Query(BaseExpression):
def check_alias(self, alias):
if FORBIDDEN_ALIAS_PATTERN.search(alias):
raise ValueError(
- "Column aliases cannot contain whitespace characters,
quotation marks, "
- "semicolons, or SQL comments."
+ "Column aliases cannot contain whitespace characters, hashes, "
+ "quotation marks, semicolons, or SQL comments."
)
def add_annotation(self, annotation, alias, select=True):
@@ -1620,6 +1620,7 @@ class Query(BaseExpression):
return target_clause
def add_filtered_relation(self, filtered_relation, alias):
+ self.check_alias(alias)
filtered_relation.alias = alias
lookups = dict(get_children_from_q(filtered_relation.condition))
relation_lookup_parts, relation_field_parts, _ =
self.solve_lookup_type(
diff --git django/http/response.py django/http/response.py
index ea3114170..28b8fa6d3 100644
--- django/http/response.py
+++ django/http/response.py
@@ -21,7 +21,11 @@ from django.http.cookie import SimpleCookie
from django.utils import timezone
from django.utils.datastructures import CaseInsensitiveMapping
from django.utils.encoding import iri_to_uri
-from django.utils.http import content_disposition_header, http_date
+from django.utils.http import (
+ MAX_URL_REDIRECT_LENGTH,
+ content_disposition_header,
+ http_date,
+)
from django.utils.regex_helper import _lazy_re_compile
_charset_from_content_type_re = _lazy_re_compile(
@@ -614,7 +618,12 @@ class HttpResponseRedirectBase(HttpResponse):
def __init__(self, redirect_to, *args, **kwargs):
super().__init__(*args, **kwargs)
self["Location"] = iri_to_uri(redirect_to)
- parsed = urlparse(str(redirect_to))
+ redirect_to_str = str(redirect_to)
+ if len(redirect_to_str) > MAX_URL_REDIRECT_LENGTH:
+ raise DisallowedRedirect(
+ f"Unsafe redirect exceeding {MAX_URL_REDIRECT_LENGTH}
characters"
+ )
+ parsed = urlparse(redirect_to_str)
if parsed.scheme and parsed.scheme not in self.allowed_schemes:
raise DisallowedRedirect(
"Unsafe redirect to URL with protocol '%s'" % parsed.scheme
diff --git django/utils/archive.py django/utils/archive.py
index 71ec2d001..e8af690e2 100644
--- django/utils/archive.py
+++ django/utils/archive.py
@@ -144,7 +144,11 @@ class BaseArchive:
def target_filename(self, to_path, name):
target_path = os.path.abspath(to_path)
filename = os.path.abspath(os.path.join(target_path, name))
- if not filename.startswith(target_path):
+ try:
+ if os.path.commonpath([target_path, filename]) != target_path:
+ raise SuspiciousOperation("Archive contains invalid path:
'%s'" % name)
+ except ValueError:
+ # Different drives on Windows raises ValueError.
raise SuspiciousOperation("Archive contains invalid path: '%s'" %
name)
return filename
diff --git django/utils/html.py django/utils/html.py
index 84c37d118..11ffd53eb 100644
--- django/utils/html.py
+++ django/utils/html.py
@@ -9,12 +9,11 @@ from urllib.parse import parse_qsl, quote, unquote,
urlencode, urlsplit, urlunsp
from django.core.exceptions import SuspiciousOperation
from django.utils.encoding import punycode
from django.utils.functional import Promise, cached_property, keep_lazy,
keep_lazy_text
-from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
+from django.utils.http import MAX_URL_LENGTH, RFC3986_GENDELIMS,
RFC3986_SUBDELIMS
from django.utils.regex_helper import _lazy_re_compile
from django.utils.safestring import SafeData, SafeString, mark_safe
from django.utils.text import normalize_newlines
-MAX_URL_LENGTH = 2048
MAX_STRIP_TAGS_DEPTH = 50
# HTML tag that opens but has no closing ">" after 1k+ chars.
diff --git django/utils/http.py django/utils/http.py
index 94ad60bdb..0804937f3 100644
--- django/utils/http.py
+++ django/utils/http.py
@@ -47,6 +47,8 @@ ASCTIME_DATE = _lazy_re_compile(r"^\w{3} %s %s %s %s$" %
(__M, __D2, __T, __Y))
RFC3986_GENDELIMS = ":/?#[]@"
RFC3986_SUBDELIMS = "!$&'()*+,;="
+MAX_URL_LENGTH = 2048
+MAX_URL_REDIRECT_LENGTH = 16384
# TODO: Remove when dropping support for PY38.
# Unsafe bytes to be removed per WHATWG spec.
diff --git docs/internals/contributing/writing-code/submitting-patches.txt
docs/internals/contributing/writing-code/submitting-patches.txt
index be031f1f6..0a9d6b0d1 100644
--- docs/internals/contributing/writing-code/submitting-patches.txt
+++ docs/internals/contributing/writing-code/submitting-patches.txt
@@ -320,8 +320,8 @@ All code changes
* Does the :doc:`coding style
</internals/contributing/writing-code/coding-style>` conform to our
- guidelines? Are there any ``black``, ``blacken-docs``, ``flake8``, or
- ``isort`` errors? You can install the :ref:`pre-commit
+ guidelines? Are there any ``black``, ``blacken-docs``, ``flake8``,
+ ``isort``, or ``zizmor`` errors? You can install the :ref:`pre-commit
<coding-style-pre-commit>` hooks to automatically catch these errors.
* If the change is backwards incompatible in any way, is there a note
in the release notes (``docs/releases/A.B.txt``)?
diff --git docs/internals/contributing/writing-code/unit-tests.txt
docs/internals/contributing/writing-code/unit-tests.txt
index 874038a55..d9f8a276e 100644
--- docs/internals/contributing/writing-code/unit-tests.txt
+++ docs/internals/contributing/writing-code/unit-tests.txt
@@ -69,7 +69,7 @@ command from any place in the Django source tree:
$ tox
By default, ``tox`` runs the test suite with the bundled test settings file for
-SQLite, ``black``, ``blacken-docs``, ``flake8``, ``isort``, and the
+SQLite, ``black``, ``blacken-docs``, ``flake8``, ``isort``, ``zizmor``, and the
documentation spelling checker. In addition to the system dependencies noted
elsewhere in this documentation, the command ``python3`` must be on your path
and linked to the appropriate version of Python. A list of default environments
@@ -84,6 +84,7 @@ can be seen as follows:
flake8>=3.7.0
docs
isort>=5.1.0
+ zizmor>=1.16.3
Testing other Python versions and database backends
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -284,7 +285,7 @@ dependencies:
* :pypi:`asgiref` 3.6.0+ (required)
* :pypi:`bcrypt`
* :pypi:`colorama`
-* :pypi:`docutils`
+* :pypi:`docutils` <0.22
* :pypi:`geoip2`
* :pypi:`Jinja2` 2.11+
* :pypi:`numpy`
diff --git docs/ref/contrib/admin/admindocs.txt
docs/ref/contrib/admin/admindocs.txt
index cc121a7be..9806aa243 100644
--- docs/ref/contrib/admin/admindocs.txt
+++ docs/ref/contrib/admin/admindocs.txt
@@ -23,7 +23,8 @@ the following:
your ``urlpatterns``. Make sure it's included *before* the
``'admin/'`` entry, so that requests to ``/admin/doc/`` don't get
handled by the latter entry.
-* Install the docutils Python module (https://docutils.sourceforge.io/).
+* Install the docutils Python module version <0.22
+ (https://docutils.sourceforge.io/).
* **Optional:** Using the admindocs bookmarklets requires
``django.contrib.admindocs.middleware.XViewMiddleware`` to be installed.
diff --git docs/releases/4.2.24.txt docs/releases/4.2.24.txt
new file mode 100644
index 000000000..e50148391
--- /dev/null
+++ docs/releases/4.2.24.txt
@@ -0,0 +1,14 @@
+===========================
+Django 4.2.24 release notes
+===========================
+
+*September 3, 2025*
+
+Django 4.2.24 fixes a security issue with severity "high" in 4.2.23.
+
+CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
+==============================================================================
+
+:class:`.FilteredRelation` was subject to SQL injection in column aliases,
+using a suitably crafted dictionary, with dictionary expansion, as the
+``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
diff --git docs/releases/4.2.25.txt docs/releases/4.2.25.txt
new file mode 100644
index 000000000..7ba23c013
--- /dev/null
+++ docs/releases/4.2.25.txt
@@ -0,0 +1,25 @@
+===========================
+Django 4.2.25 release notes
+===========================
+
+*October 1, 2025*
+
+Django 4.2.25 fixes one security issue with severity "high" and one security
+issue with severity "low" in 4.2.24.
+
+CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``,
``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
+======================================================================================================================================
+
+:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
+:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
+to SQL injection in column aliases, using a suitably crafted dictionary, with
+dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
+:cve:`2022-28346`).
+
+CVE-2025-59682: Potential partial directory-traversal via ``archive.extract()``
+===============================================================================
+
+The ``django.utils.archive.extract()`` function, used by
+:option:`startapp --template` and :option:`startproject --template`, allowed
+partial directory-traversal via an archive with file paths sharing a common
+prefix with the target directory (follow up to :cve:`2021-3281`).
diff --git docs/releases/4.2.26.txt docs/releases/4.2.26.txt
new file mode 100644
index 000000000..20cf48f05
--- /dev/null
+++ docs/releases/4.2.26.txt
@@ -0,0 +1,25 @@
+===========================
+Django 4.2.26 release notes
+===========================
+
+*November 5, 2025*
+
+Django 4.2.26 fixes one security issue with severity "high" and one security
+issue with severity "moderate" in 4.2.25.
+
+CVE-2025-64458: Potential denial-of-service vulnerability in
``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
+
+CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
+===========================================================================
+
+:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
+and :class:`~.Q` were subject to SQL injection using a suitably crafted
+dictionary, with dictionary expansion, as the ``_connector`` argument.
diff --git docs/releases/4.2.27.txt docs/releases/4.2.27.txt
new file mode 100644
index 000000000..b843f6a44
--- /dev/null
+++ docs/releases/4.2.27.txt
@@ -0,0 +1,34 @@
+===========================
+Django 4.2.27 release notes
+===========================
+
+*December 2, 2025*
+
+Django 4.2.27 fixes one security issue with severity "high", one security issue
+with severity "moderate", and one bug in 4.2.26.
+
+CVE-2025-13372: Potential SQL injection in ``FilteredRelation`` column aliases
on PostgreSQL
+============================================================================================
+
+:class:`.FilteredRelation` was subject to SQL injection in column aliases,
+using a suitably crafted dictionary, with dictionary expansion, as the
+``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
+PostgreSQL.
+
+CVE-2025-64460: Potential denial-of-service vulnerability in XML
``Deserializer``
+=================================================================================
+
+:ref:`XML Serialization <serialization-formats-xml>` was subject to a potential
+denial-of-service attack due to quadratic time complexity when deserializing
+crafted documents containing many nested invalid elements. The internal helper
+``django.core.serializers.xml_serializer.getInnerText()`` previously
+accumulated inner text inefficiently during recursion. It now collects text per
+element, avoiding excessive resource usage.
+
+Bugfixes
+========
+
+* Fixed a regression in Django 4.2.26 where ``DisallowedRedirect`` was raised
+ by :class:`~django.http.HttpResponseRedirect` and
+ :class:`~django.http.HttpResponsePermanentRedirect` for URLs longer than 2048
+ characters. The limit is now 16384 characters (:ticket:`36743`).
diff --git docs/releases/index.txt docs/releases/index.txt
index 73195b535..f5a6770bc 100644
--- docs/releases/index.txt
+++ docs/releases/index.txt
@@ -26,6 +26,10 @@ versions of the documentation contain the release notes for
any later releases.
.. toctree::
:maxdepth: 1
+ 4.2.27
+ 4.2.26
+ 4.2.25
+ 4.2.24
4.2.23
4.2.22
4.2.21
diff --git docs/releases/security.txt docs/releases/security.txt
index de8fc96d6..e5b9878ab 100644
--- docs/releases/security.txt
+++ docs/releases/security.txt
@@ -36,6 +36,65 @@ Issues under Django's security process
All security issues have been handled under versions of Django's security
process. These are listed below.
+November 5, 2025 - :cve:`2025-64458`
+------------------------------------
+
+Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and
+``HttpResponsePermanentRedirect`` on Windows. `Full description
+<https://www.djangoproject.com/weblog/2025/nov/05/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <6e13348436fccf8f22982921d6a3a3e65c956a9f>`
+* Django 5.2 :commit:`(patch) <4f5d904b63751dea9ffc3b0e046404a7fa5881ac>`
+* Django 5.1 :commit:`(patch) <3790593781d26168e7306b5b2f8ea0309de16242>`
+* Django 4.2 :commit:`(patch) <770eea38d7a0e9ba9455140b5a9a9e33618226a7>`
+
+November 5, 2025 - :cve:`2025-64459`
+------------------------------------
+
+Potential SQL injection via ``_connector`` keyword argument in ``QuerySet`` and
+``Q`` objects. `Full description
+<https://www.djangoproject.com/weblog/2025/nov/05/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <06dd38324ac3d60d83d9f3adabf0dcdf423d2a85>`
+* Django 5.2 :commit:`(patch) <6703f364d767e949c5b0e4016433ef75063b4f9b>`
+* Django 5.1 :commit:`(patch) <72d2c87431f2ae0431d65d0ec792047f078c8241>`
+* Django 4.2 :commit:`(patch) <59ae82e67053d281ff4562a24bbba21299f0a7d4>`
+
+October 1, 2025 - :cve:`2025-59681`
+-----------------------------------
+
+Potential SQL injection in ``QuerySet.annotate()``, ``alias()``,
+``aggregate()``, and ``extra()`` on MySQL and MariaDB. `Full description
+<https://www.djangoproject.com/weblog/2025/oct/01/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <4ceaaee7e04b416fc465e838a6ef43ca0ccffafe>`
+* Django 5.2 :commit:`(patch) <52fbae0a4dbbe5faa59827f8f05694a0065cc135>`
+* Django 5.1 :commit:`(patch) <01d2d770e22bffe53c7f1e611e2bbca94cb8a2e7>`
+* Django 4.2 :commit:`(patch) <38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5>`
+
+October 1, 2025 - :cve:`2025-59682`
+-----------------------------------
+
+Potential partial directory-traversal via ``archive.extract()``.
+`Full description
+<https://www.djangoproject.com/weblog/2025/oct/01/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <af067f56c1dd467df4abd0ddd409a700da1f03ba>`
+* Django 5.2 :commit:`(patch) <ed8fc39d77465eddbde1191a054ae965f6a8a584>`
+* Django 5.1 :commit:`(patch) <74fa85c688a87224637155902bcd738bb9e65e11>`
+* Django 4.2 :commit:`(patch) <9504bbaa392c9fe37eee9291f5b4c29eb6037619>`
+
+September 3, 2025 - :cve:`2025-57833`
+-------------------------------------
+
+Potential SQL injection in ``FilteredRelation`` column aliases.
+`Full description
+<https://www.djangoproject.com/weblog/2025/sep/03/security-releases/>`__
+
+* Django 5.2 :commit:`(patch) <4c044fcc866ec226f612c475950b690b0139d243>`
+* Django 5.1 :commit:`(patch) <102965ea93072fe3c39a30be437c683ec1106ef5>`
+* Django 4.2 :commit:`(patch) <31334e6965ad136a5e369993b01721499c5d1a92>`
+
June 4, 2025 - :cve:`2025-48432`
--------------------------------
@@ -47,6 +106,14 @@ Potential log injection via unescaped request path.
* Django 5.1 :commit:`(patch) <596542ddb46cdabe011322917e1655f0d24eece2>`
* Django 4.2 :commit:`(patch) <ac03c5e7df8680c61cdb0d3bdb8be9095dba841e>`
+There was an additional hardening with new patch releases published on June 10,
+2025. `Full description
+<https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/>`__
+
+* Django 5.2.3 :commit:`(patch) <8fcc83953c350e158a484bf1da0aa1b79b69bb07>`
+* Django 5.1.11 :commit:`(patch) <31f4bd31fa16f7f5302f65b9b8b7a49b69a7c4a6>`
+* Django 4.2.23 :commit:`(patch) <b597d46bb19c8567615e62029210dab16c70db7d>`
+
May 7, 2025 - :cve:`2025-32873`
-------------------------------
diff --git docs/topics/serialization.txt docs/topics/serialization.txt
index 0bb57642a..dc403ca1d 100644
--- docs/topics/serialization.txt
+++ docs/topics/serialization.txt
@@ -173,6 +173,8 @@ Identifier Information
.. _jsonl: https://jsonlines.org/
.. _PyYAML: https://pyyaml.org/
+.. _serialization-formats-xml:
+
XML
---
diff --git scripts/manage_translations.py scripts/manage_translations.py
deleted file mode 100644
index 5b82011f2..000000000
--- scripts/manage_translations.py
+++ /dev/null
@@ -1,219 +0,0 @@
-#!/usr/bin/env python
-#
-# This Python file contains utility scripts to manage Django translations.
-# It has to be run inside the django git root directory.
-#
-# The following commands are available:
-#
-# * update_catalogs: check for new strings in core and contrib catalogs, and
-# output how much strings are new/changed.
-#
-# * lang_stats: output statistics for each catalog/language combination
-#
-# * fetch: fetch translations from transifex.com
-#
-# Each command support the --languages and --resources options to limit their
-# operation to the specified language or resource. For example, to get stats
-# for Spanish in contrib.admin, run:
-#
-# $ python scripts/manage_translations.py lang_stats --language=es
--resources=admin
-
-import os
-from argparse import ArgumentParser
-from subprocess import run
-
-import django
-from django.conf import settings
-from django.core.management import call_command
-
-HAVE_JS = ["admin"]
-
-
-def _get_locale_dirs(resources, include_core=True):
- """
- Return a tuple (contrib name, absolute path) for all locale directories,
- optionally including the django core catalog.
- If resources list is not None, filter directories matching resources
content.
- """
- contrib_dir = os.path.join(os.getcwd(), "django", "contrib")
- dirs = []
-
- # Collect all locale directories
- for contrib_name in os.listdir(contrib_dir):
- path = os.path.join(contrib_dir, contrib_name, "locale")
- if os.path.isdir(path):
- dirs.append((contrib_name, path))
- if contrib_name in HAVE_JS:
- dirs.append(("%s-js" % contrib_name, path))
- if include_core:
- dirs.insert(0, ("core", os.path.join(os.getcwd(), "django", "conf",
"locale")))
-
- # Filter by resources, if any
- if resources is not None:
- res_names = [d[0] for d in dirs]
- dirs = [ld for ld in dirs if ld[0] in resources]
- if len(resources) > len(dirs):
- print(
- "You have specified some unknown resources. "
- "Available resource names are: %s" % (", ".join(res_names),)
- )
- exit(1)
- return dirs
-
-
-def _tx_resource_for_name(name):
- """Return the Transifex resource name"""
- if name == "core":
- return "django.core"
- else:
- return "django.contrib-%s" % name
-
-
-def _check_diff(cat_name, base_path):
- """
- Output the approximate number of changed/added strings in the en catalog.
- """
- po_path = "%(path)s/en/LC_MESSAGES/django%(ext)s.po" % {
- "path": base_path,
- "ext": "js" if cat_name.endswith("-js") else "",
- }
- p = run(
- "git diff -U0 %s | egrep '^[-+]msgid' | wc -l" % po_path,
- capture_output=True,
- shell=True,
- )
- num_changes = int(p.stdout.strip())
- print("%d changed/added messages in '%s' catalog." % (num_changes,
cat_name))
-
-
-def update_catalogs(resources=None, languages=None):
- """
- Update the en/LC_MESSAGES/django.po (main and contrib) files with
- new/updated translatable strings.
- """
- settings.configure()
- django.setup()
- if resources is not None:
- print("`update_catalogs` will always process all resources.")
- contrib_dirs = _get_locale_dirs(None, include_core=False)
-
- os.chdir(os.path.join(os.getcwd(), "django"))
- print("Updating en catalogs for Django and contrib apps...")
- call_command("makemessages", locale=["en"])
- print("Updating en JS catalogs for Django and contrib apps...")
- call_command("makemessages", locale=["en"], domain="djangojs")
-
- # Output changed stats
- _check_diff("core", os.path.join(os.getcwd(), "conf", "locale"))
- for name, dir_ in contrib_dirs:
- _check_diff(name, dir_)
-
-
-def lang_stats(resources=None, languages=None):
- """
- Output language statistics of committed translation files for each
- Django catalog.
- If resources is provided, it should be a list of translation resource to
- limit the output (e.g. ['core', 'gis']).
- """
- locale_dirs = _get_locale_dirs(resources)
-
- for name, dir_ in locale_dirs:
- print("\nShowing translations stats for '%s':" % name)
- langs = sorted(d for d in os.listdir(dir_) if not d.startswith("_"))
- for lang in langs:
- if languages and lang not in languages:
- continue
- # TODO: merge first with the latest en catalog
- po_path = "{path}/{lang}/LC_MESSAGES/django{ext}.po".format(
- path=dir_, lang=lang, ext="js" if name.endswith("-js") else ""
- )
- p = run(
- ["msgfmt", "-vc", "-o", "/dev/null", po_path],
- capture_output=True,
- env={"LANG": "C"},
- encoding="utf-8",
- )
- if p.returncode == 0:
- # msgfmt output stats on stderr
- print("%s: %s" % (lang, p.stderr.strip()))
- else:
- print(
- "Errors happened when checking %s translation for %s:\n%s"
- % (lang, name, p.stderr)
- )
-
-
-def fetch(resources=None, languages=None):
- """
- Fetch translations from Transifex, wrap long lines, generate mo files.
- """
- locale_dirs = _get_locale_dirs(resources)
- errors = []
-
- for name, dir_ in locale_dirs:
- # Transifex pull
- if languages is None:
- run(
- [
- "tx",
- "pull",
- "-r",
- _tx_resource_for_name(name),
- "-a",
- "-f",
- "--minimum-perc=5",
- ]
- )
- target_langs = sorted(
- d for d in os.listdir(dir_) if not d.startswith("_") and d !=
"en"
- )
- else:
- for lang in languages:
- run(["tx", "pull", "-r", _tx_resource_for_name(name), "-f",
"-l", lang])
- target_langs = languages
-
- # msgcat to wrap lines and msgfmt for compilation of .mo file
- for lang in target_langs:
- po_path = "%(path)s/%(lang)s/LC_MESSAGES/django%(ext)s.po" % {
- "path": dir_,
- "lang": lang,
- "ext": "js" if name.endswith("-js") else "",
- }
- if not os.path.exists(po_path):
- print(
- "No %(lang)s translation for resource %(name)s"
- % {"lang": lang, "name": name}
- )
- continue
- run(["msgcat", "--no-location", "-o", po_path, po_path])
- msgfmt = run(["msgfmt", "-c", "-o", "%s.mo" % po_path[:-3],
po_path])
- if msgfmt.returncode != 0:
- errors.append((name, lang))
- if errors:
- print("\nWARNING: Errors have occurred in following cases:")
- for resource, lang in errors:
- print("\tResource %s for language %s" % (resource, lang))
- exit(1)
-
-
-if __name__ == "__main__":
- RUNABLE_SCRIPTS = ("update_catalogs", "lang_stats", "fetch")
-
- parser = ArgumentParser()
- parser.add_argument("cmd", nargs=1, choices=RUNABLE_SCRIPTS)
- parser.add_argument(
- "-r",
- "--resources",
- action="append",
- help="limit operation to the specified resources",
- )
- parser.add_argument(
- "-l",
- "--languages",
- action="append",
- help="limit operation to the specified languages",
- )
- options = parser.parse_args()
-
- eval(options.cmd[0])(options.resources, options.languages)
diff --git tests/aggregation/tests.py tests/aggregation/tests.py
index 48266d977..277c0507f 100644
--- tests/aggregation/tests.py
+++ tests/aggregation/tests.py
@@ -2090,8 +2090,8 @@ class AggregateTestCase(TestCase):
def test_alias_sql_injection(self):
crafted_alias = """injected_name" from "aggregation_author"; --"""
msg = (
- "Column aliases cannot contain whitespace characters, quotation
marks, "
- "semicolons, or SQL comments."
+ "Column aliases cannot contain whitespace characters, hashes,
quotation "
+ "marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Author.objects.aggregate(**{crafted_alias: Avg("age")})
diff --git tests/annotations/tests.py tests/annotations/tests.py
index e0cdbf1e0..d876e3a6f 100644
--- tests/annotations/tests.py
+++ tests/annotations/tests.py
@@ -2,6 +2,7 @@ import datetime
from decimal import Decimal
from django.core.exceptions import FieldDoesNotExist, FieldError
+from django.db import connection
from django.db.models import (
BooleanField,
Case,
@@ -12,6 +13,7 @@ from django.db.models import (
Exists,
ExpressionWrapper,
F,
+ FilteredRelation,
FloatField,
Func,
IntegerField,
@@ -1115,12 +1117,21 @@ class NonAggregateAnnotationTestCase(TestCase):
def test_alias_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --"""
msg = (
- "Column aliases cannot contain whitespace characters, quotation
marks, "
- "semicolons, or SQL comments."
+ "Column aliases cannot contain whitespace characters, hashes,
quotation "
+ "marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)})
+ def test_alias_filtered_relation_sql_injection(self):
+ crafted_alias = """injected_name" from "annotations_book"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, hashes,
quotation "
+ "marks, semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.annotate(**{crafted_alias:
FilteredRelation("author")})
+
def test_alias_forbidden_chars(self):
tests = [
'al"ias',
@@ -1133,19 +1144,25 @@ class NonAggregateAnnotationTestCase(TestCase):
"ali/*as",
"alias*/",
"alias;",
- # [] are used by MSSQL.
+ # [] and # are used by MSSQL.
"alias[",
"alias]",
+ "ali#as",
]
msg = (
- "Column aliases cannot contain whitespace characters, quotation
marks, "
- "semicolons, or SQL comments."
+ "Column aliases cannot contain whitespace characters, hashes,
quotation "
+ "marks, semicolons, or SQL comments."
)
for crafted_alias in tests:
with self.subTest(crafted_alias):
with self.assertRaisesMessage(ValueError, msg):
Book.objects.annotate(**{crafted_alias: Value(1)})
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.annotate(
+ **{crafted_alias: FilteredRelation("authors")}
+ )
+
class AliasTests(TestCase):
@classmethod
@@ -1413,8 +1430,28 @@ class AliasTests(TestCase):
def test_alias_sql_injection(self):
crafted_alias = """injected_name" from "annotations_book"; --"""
msg = (
- "Column aliases cannot contain whitespace characters, quotation
marks, "
- "semicolons, or SQL comments."
+ "Column aliases cannot contain whitespace characters, hashes,
quotation "
+ "marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Book.objects.alias(**{crafted_alias: Value(1)})
+
+ def test_alias_filtered_relation_sql_injection(self):
+ crafted_alias = """injected_name" from "annotations_book"; --"""
+ msg = (
+ "Column aliases cannot contain whitespace characters, hashes,
quotation "
+ "marks, semicolons, or SQL comments."
+ )
+ with self.assertRaisesMessage(ValueError, msg):
+ Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
+
+ def test_alias_filtered_relation_sql_injection_dollar_sign(self):
+ qs = Book.objects.alias(
+ **{"crafted_alia$": FilteredRelation("authors")}
+ ).values("name", "crafted_alia$")
+ if connection.vendor == "postgresql":
+ msg = "Dollar signs are not permitted in column aliases on
PostgreSQL."
+ with self.assertRaisesMessage(ValueError, msg):
+ list(qs)
+ else:
+ self.assertEqual(qs.first()["name"], self.b1.name)
diff --git tests/expressions/test_queryset_values.py
tests/expressions/test_queryset_values.py
index 47bd1358d..080ee0618 100644
--- tests/expressions/test_queryset_values.py
+++ tests/expressions/test_queryset_values.py
@@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase):
def test_values_expression_alias_sql_injection(self):
crafted_alias = """injected_name" from "expressions_company"; --"""
msg = (
- "Column aliases cannot contain whitespace characters, quotation
marks, "
- "semicolons, or SQL comments."
+ "Column aliases cannot contain whitespace characters, hashes,
quotation "
+ "marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Company.objects.values(**{crafted_alias: F("ceo__salary")})
@@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase):
def test_values_expression_alias_sql_injection_json_field(self):
crafted_alias = """injected_name" from "expressions_company"; --"""
msg = (
- "Column aliases cannot contain whitespace characters, quotation
marks, "
- "semicolons, or SQL comments."
+ "Column aliases cannot contain whitespace characters, hashes,
quotation "
+ "marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
JSONFieldModel.objects.values(f"data__{crafted_alias}")
diff --git tests/gis_tests/gdal_tests/test_raster.py
tests/gis_tests/gdal_tests/test_raster.py
index cbe7d6b36..e1c135315 100644
--- tests/gis_tests/gdal_tests/test_raster.py
+++ tests/gis_tests/gdal_tests/test_raster.py
@@ -6,7 +6,7 @@ import zipfile
from pathlib import Path
from unittest import mock
-from django.contrib.gis.gdal import GDALRaster, SpatialReference
+from django.contrib.gis.gdal import GDAL_VERSION, GDALRaster, SpatialReference
from django.contrib.gis.gdal.error import GDALException
from django.contrib.gis.gdal.raster.band import GDALBand
from django.contrib.gis.shortcuts import numpy
@@ -406,6 +406,8 @@ class GDALRasterTests(SimpleTestCase):
self.assertIn("NAD83 / Florida GDL Albers", infos)
def test_compressed_file_based_raster_creation(self):
+ if GDAL_VERSION > (3, 4):
+ self.skipTest("GDAL_PIXEL_TYPES are missing types from GDAL 3.5+.")
rstfile = tempfile.NamedTemporaryFile(suffix=".tif")
# Make a compressed copy of an existing raster.
compressed = self.rs.warp(
diff --git tests/gis_tests/relatedapp/tests.py
tests/gis_tests/relatedapp/tests.py
index e11a410af..74aa64c0a 100644
--- tests/gis_tests/relatedapp/tests.py
+++ tests/gis_tests/relatedapp/tests.py
@@ -98,10 +98,15 @@ class RelatedGeoModelTest(TestCase):
self.assertEqual(type(u3), MultiPoint)
# Ordering of points in the result of the union is not defined and
- # implementation-dependent (DB backend, GEOS version)
- self.assertEqual({p.ewkt for p in ref_u1}, {p.ewkt for p in u1})
- self.assertEqual({p.ewkt for p in ref_u2}, {p.ewkt for p in u2})
- self.assertEqual({p.ewkt for p in ref_u1}, {p.ewkt for p in u3})
+ # implementation-dependent (DB backend, GEOS version).
+ tests = [
+ (u1, ref_u1),
+ (u2, ref_u2),
+ (u3, ref_u1),
+ ]
+ for union, ref in tests:
+ for point, ref_point in zip(sorted(union), sorted(ref)):
+ self.assertIs(point.equals_exact(ref_point, tolerance=6), True)
def test05_select_related_fk_to_subclass(self):
"""
diff --git tests/httpwrappers/tests.py tests/httpwrappers/tests.py
index fa2c8fd5d..3af20f930 100644
--- tests/httpwrappers/tests.py
+++ tests/httpwrappers/tests.py
@@ -24,6 +24,7 @@ from django.http import (
)
from django.test import SimpleTestCase
from django.utils.functional import lazystr
+from django.utils.http import MAX_URL_REDIRECT_LENGTH
class QueryDictTests(SimpleTestCase):
@@ -485,11 +486,25 @@ class HttpResponseTests(SimpleTestCase):
r.writelines(["foo\n", "bar\n", "baz\n"])
self.assertEqual(r.content, b"foo\nbar\nbaz\n")
+ def test_redirect_url_max_length(self):
+ base_url = "https://example.com/";
+ for length in (
+ MAX_URL_REDIRECT_LENGTH - 1,
+ MAX_URL_REDIRECT_LENGTH,
+ ):
+ long_url = base_url + "x" * (length - len(base_url))
+ with self.subTest(length=length):
+ response = HttpResponseRedirect(long_url)
+ self.assertEqual(response.url, long_url)
+ response = HttpResponsePermanentRedirect(long_url)
+ self.assertEqual(response.url, long_url)
+
def test_unsafe_redirect(self):
bad_urls = [
'data:text/html,<script>window.alert("xss")</script>',
"mailto:[email protected]";,
"file:///etc/passwd",
+ "é" * (MAX_URL_REDIRECT_LENGTH + 1),
]
for url in bad_urls:
with self.assertRaises(DisallowedRedirect):
diff --git tests/queries/test_q.py tests/queries/test_q.py
index cdf40292b..5f20a4176 100644
--- tests/queries/test_q.py
+++ tests/queries/test_q.py
@@ -225,6 +225,11 @@ class QTests(SimpleTestCase):
Q(*items, _connector=connector),
)
+ def test_connector_validation(self):
+ msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or
None."
+ with self.assertRaisesMessage(ValueError, msg):
+ Q(_connector="evil")
+
class QCheckTests(TestCase):
def test_basic(self):
diff --git tests/queries/tests.py tests/queries/tests.py
index a6a2b252e..2290ea29b 100644
--- tests/queries/tests.py
+++ tests/queries/tests.py
@@ -1943,8 +1943,8 @@ class Queries5Tests(TestCase):
def test_extra_select_alias_sql_injection(self):
crafted_alias = """injected_name" from "queries_note"; --"""
msg = (
- "Column aliases cannot contain whitespace characters, quotation
marks, "
- "semicolons, or SQL comments."
+ "Column aliases cannot contain whitespace characters, hashes,
quotation "
+ "marks, semicolons, or SQL comments."
)
with self.assertRaisesMessage(ValueError, msg):
Note.objects.extra(select={crafted_alias: "1"})
@@ -4490,6 +4490,14 @@ class TestInvalidValuesRelation(SimpleTestCase):
Annotation.objects.filter(tag__in=[123, "abc"])
+class TestInvalidFilterArguments(TestCase):
+ def test_filter_rejects_invalid_arguments(self):
+ school = School.objects.create()
+ msg = "The following kwargs are invalid: '_connector', '_negated'"
+ with self.assertRaisesMessage(TypeError, msg):
+ School.objects.filter(pk=school.pk, _negated=True,
_connector="evil")
+
+
class TestTicket24605(TestCase):
def test_ticket_24605(self):
"""
diff --git tests/requirements/py3.txt tests/requirements/py3.txt
index 7eebc20e0..b166df7bb 100644
--- tests/requirements/py3.txt
+++ tests/requirements/py3.txt
@@ -4,7 +4,7 @@ argon2-cffi >= 19.2.0
backports.zoneinfo; python_version < '3.9'
bcrypt
black == 23.12.1
-docutils
+docutils < 0.22
geoip2; python_version < '3.12'
jinja2 >= 2.11.0
numpy; python_version < '3.12'
diff --git tests/serializers/test_xml.py tests/serializers/test_xml.py
index c9df2f2a5..03462cfed 100644
--- tests/serializers/test_xml.py
+++ tests/serializers/test_xml.py
@@ -1,7 +1,10 @@
+import gc
+import time
from xml.dom import minidom
from django.core import serializers
-from django.core.serializers.xml_serializer import DTDForbidden
+from django.core.serializers.xml_serializer import Deserializer, DTDForbidden
+from django.db import models
from django.test import TestCase, TransactionTestCase
from .tests import SerializersTestBase, SerializersTransactionTestBase
@@ -90,6 +93,56 @@ class XmlSerializerTestCase(SerializersTestBase, TestCase):
with self.assertRaises(DTDForbidden):
next(serializers.deserialize("xml", xml))
+ def test_crafted_xml_performance(self):
+ """The time to process invalid inputs is not quadratic."""
+
+ def build_crafted_xml(depth, leaf_text_len):
+ nested_open = "<nested>" * depth
+ nested_close = "</nested>" * depth
+ leaf = "x" * leaf_text_len
+ field_content = f"{nested_open}{leaf}{nested_close}"
+ return f"""
+ <django-objects version="1.0">
+ <object model="contenttypes.contenttype" pk="1">
+ <field name="app_label">{field_content}</field>
+ <field name="model">m</field>
+ </object>
+ </django-objects>
+ """
+
+ def deserialize(crafted_xml):
+ iterator = Deserializer(crafted_xml)
+ gc.collect()
+
+ start_time = time.perf_counter()
+ result = list(iterator)
+ end_time = time.perf_counter()
+
+ self.assertEqual(len(result), 1)
+ self.assertIsInstance(result[0].object, models.Model)
+ return end_time - start_time
+
+ def assertFactor(label, params, factor=2):
+ factors = []
+ prev_time = None
+ for depth, length in params:
+ crafted_xml = build_crafted_xml(depth, length)
+ elapsed = deserialize(crafted_xml)
+ if prev_time is not None:
+ factors.append(elapsed / prev_time)
+ prev_time = elapsed
+
+ with self.subTest(label):
+ # Assert based on the average factor to reduce test flakiness.
+ self.assertLessEqual(sum(factors) / len(factors), factor)
+
+ assertFactor(
+ "varying depth, varying length",
+ [(50, 2000), (100, 4000), (200, 8000), (400, 16000), (800, 32000)],
+ 2,
+ )
+ assertFactor("constant depth, varying length", [(100, 1), (100,
1000)], 2)
+
class XmlSerializerTransactionTestCase(
SerializersTransactionTestBase, TransactionTestCase
diff --git tests/test_runner/test_parallel.py tests/test_runner/test_parallel.py
index eea9e4de7..5fbd0658b 100644
--- tests/test_runner/test_parallel.py
+++ tests/test_runner/test_parallel.py
@@ -21,6 +21,12 @@ class ExceptionThatFailsUnpickling(Exception):
def __init__(self, arg):
super().__init__()
+ def __reduce__(self):
+ # tblib 3.2+ makes exception subclasses picklable by default.
+ # Return (cls, ()) so the constructor fails on unpickle, preserving
+ # the needed behavior for test_pickle_errors_detection.
+ return (self.__class__, ())
+
class ParallelTestRunnerTest(SimpleTestCase):
"""
@@ -102,6 +108,8 @@ class RemoteTestResultTest(SimpleTestCase):
result = RemoteTestResult()
result._confirm_picklable(picklable_error)
+ # The exception can be pickled but not unpickled.
+ pickle.dumps(not_unpicklable_error)
msg = "__init__() missing 1 required positional argument"
with self.assertRaisesMessage(TypeError, msg):
result._confirm_picklable(not_unpicklable_error)
diff --git tests/test_utils/tests.py tests/test_utils/tests.py
index a440e7d96..e4c613e96 100644
--- tests/test_utils/tests.py
+++ tests/test_utils/tests.py
@@ -966,7 +966,7 @@ class HTMLEqualTests(SimpleTestCase):
"('Unexpected end tag `div` (Line 1, Column 6)', (1, 6))"
)
with self.assertRaisesMessage(AssertionError, error_msg):
- self.assertHTMLEqual("< div></ div>", "<div></div>")
+ self.assertHTMLEqual("< div></div>", "<div></div>")
with self.assertRaises(HTMLParseError):
parse_html("</p>")
diff --git tests/utils_tests/test_archive.py tests/utils_tests/test_archive.py
index 8cd107063..8063dafb6 100644
--- tests/utils_tests/test_archive.py
+++ tests/utils_tests/test_archive.py
@@ -3,6 +3,7 @@ import stat
import sys
import tempfile
import unittest
+import zipfile
from django.core.exceptions import SuspiciousOperation
from django.test import SimpleTestCase
@@ -96,3 +97,21 @@ class TestArchiveInvalid(SimpleTestCase):
with self.subTest(entry), tempfile.TemporaryDirectory() as tmpdir:
with self.assertRaisesMessage(SuspiciousOperation, msg %
invalid_path):
archive.extract(os.path.join(archives_dir, entry), tmpdir)
+
+ def test_extract_function_traversal_startswith(self):
+ with tempfile.TemporaryDirectory() as tmpdir:
+ base = os.path.abspath(tmpdir)
+ tarfile_handle = tempfile.NamedTemporaryFile(suffix=".zip",
delete=False)
+ tar_path = tarfile_handle.name
+ tarfile_handle.close()
+ self.addCleanup(os.remove, tar_path)
+
+ malicious_member = os.path.join(base + "abc", "evil.txt")
+ with zipfile.ZipFile(tar_path, "w") as zf:
+ zf.writestr(malicious_member, "evil\n")
+ zf.writestr("test.txt", "data\n")
+
+ with self.assertRaisesMessage(
+ SuspiciousOperation, "Archive contains invalid path"
+ ):
+ archive.extract(tar_path, base)
diff --git tests/utils_tests/test_html.py tests/utils_tests/test_html.py
index 25168e234..f755b8ceb 100644
--- tests/utils_tests/test_html.py
+++ tests/utils_tests/test_html.py
@@ -1,4 +1,5 @@
import os
+import sys
from datetime import datetime
from django.core.exceptions import SuspiciousOperation
@@ -85,6 +86,24 @@ class TestUtilsHtml(SimpleTestCase):
self.check_output(linebreaks, lazystr(value), output)
def test_strip_tags(self):
+ # Python fixed a quadratic-time issue in HTMLParser in 3.13.6, 3.12.12,
+ # 3.11.14, 3.10.19, and 3.9.24. The fix slightly changes HTMLParser's
+ # output, so tests for particularly malformed input must handle both
+ # old and new results. The check below is temporary until all supported
+ # Python versions and CI workers include the fix. See:
+ # https://github.com/python/cpython/commit/6eb6c5db
+ min_fixed = {
+ (3, 14): (3, 14),
+ (3, 13): (3, 13, 6),
+ (3, 12): (3, 12, 12),
+ (3, 11): (3, 11, 14),
+ (3, 10): (3, 10, 19),
+ (3, 9): (3, 9, 24),
+ }
+ py_version = sys.version_info[:2]
+ htmlparser_fixed = (
+ py_version in min_fixed and sys.version_info >=
min_fixed[py_version]
+ )
items = (
(
"<p>See: 'é is an apostrophe followed by e
acute</p>",
@@ -112,10 +131,16 @@ class TestUtilsHtml(SimpleTestCase):
("&gotcha&#;<>", "&gotcha&#;<>"),
("<sc<!-- -->ript>test<<!-- -->/script>", "ript>test"),
("<script>alert()</script>&h", "alert()h"),
- ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
+ (
+ "><!" + ("&" * 16000) + "D",
+ ">" if htmlparser_fixed else "><!" + ("&" * 16000) + "D",
+ ),
("X<<<<br>br>br>br>X", "XX"),
("<" * 50 + "a>" * 50, ""),
- (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
+ (
+ ">" + "<a" * 500 + "a",
+ ">" if htmlparser_fixed else ">" + "<a" * 500 + "a",
+ ),
("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
("<" + "a" * 1_002, "<" + "a" * 1_002),
)
--- End Message ---
