Overview

File CVE-2025-59681.patch of Package python-Django.openSUSE_Backports_SLE-15-SP6_Update

From 08f77ae79a096cf02e886ee39970c573c7862484 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Wed, 10 Sep 2025 09:53:52 +0200
Subject: [PATCH 1/2] [4.2.x] Fixed CVE-2025-59681 -- Protected
 QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection
 in column aliases on MySQL/MariaDB.

Thanks sw0rd1ight for the report.

Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
---
 django/db/models/sql/query.py             |  8 ++++----
 docs/releases/4.2.25.txt                  |  9 ++++++++-
 tests/aggregation/tests.py                |  4 ++--
 tests/annotations/tests.py                | 23 ++++++++++++-----------
 tests/expressions/test_queryset_values.py |  8 ++++----
 tests/queries/tests.py                    |  4 ++--
 6 files changed, 32 insertions(+), 24 deletions(-)

Index: Django-2.2.28/django/db/models/sql/query.py
===================================================================
--- Django-2.2.28.orig/django/db/models/sql/query.py
+++ Django-2.2.28/django/db/models/sql/query.py
@@ -41,9 +41,9 @@ from django.utils.tree import Node
 
 __all__ = ['Query', 'RawQuery']
 
-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
+# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline
 # SQL comments are forbidden in column aliases.
-FORBIDDEN_ALIAS_PATTERN = re.compile(r"['`\"\]\[;\s]|--|/\*|\*/")
+FORBIDDEN_ALIAS_PATTERN = re.compile(r"['`\"\]\[;\s]|#|--|/\*|\*/")
 
 # Inspired from
 # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
@@ -1012,8 +1012,8 @@ class Query:
     def check_alias(self, alias):
         if FORBIDDEN_ALIAS_PATTERN.search(alias):
             raise ValueError(
-                "Column aliases cannot contain whitespace characters, quotation marks, "
-                "semicolons, or SQL comments."
+                "Column aliases cannot contain whitespace characters, hashes, "
+                "quotation marks, semicolons, or SQL comments."
             )
 
     def add_annotation(self, annotation, alias, is_summary=False):
Index: Django-2.2.28/tests/aggregation/tests.py
===================================================================
--- Django-2.2.28.orig/tests/aggregation/tests.py
+++ Django-2.2.28/tests/aggregation/tests.py
@@ -1118,8 +1118,8 @@ class AggregateTestCase(TestCase):
     def test_alias_sql_injection(self):
         crafted_alias = """injected_name" from "aggregation_author"; --"""
         msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
         )
         with self.assertRaisesMessage(ValueError, msg):
             Author.objects.aggregate(**{crafted_alias: Avg("age")})
Index: Django-2.2.28/tests/annotations/tests.py
===================================================================
--- Django-2.2.28.orig/tests/annotations/tests.py
+++ Django-2.2.28/tests/annotations/tests.py
@@ -602,8 +602,8 @@ class NonAggregateAnnotationTestCase(Tes
     def test_alias_sql_injection(self):
         crafted_alias = """injected_name" from "annotations_book"; --"""
         msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
         )
         with self.assertRaisesMessage(ValueError, msg):
             Book.objects.annotate(**{crafted_alias: Value(1)})
@@ -611,8 +611,8 @@ class NonAggregateAnnotationTestCase(Tes
     def test_alias_filtered_relation_sql_injection(self):
         crafted_alias = """injected_name" from "annotations_book"; --"""
         msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
         )
         with self.assertRaisesMessage(ValueError, msg):
             Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
@@ -629,13 +629,14 @@ class NonAggregateAnnotationTestCase(Tes
             "ali/*as",
             "alias*/",
             "alias;",
-            # [] are used by MSSQL.
+            # [] and # are used by MSSQL.
             "alias[",
             "alias]",
+            "ali#as",
         ]
         msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
         )
         for crafted_alias in tests:
             with self.subTest(crafted_alias):
Index: Django-2.2.28/tests/expressions/test_queryset_values.py
===================================================================
--- Django-2.2.28.orig/tests/expressions/test_queryset_values.py
+++ Django-2.2.28/tests/expressions/test_queryset_values.py
@@ -30,8 +30,8 @@ class ValuesExpressionsTests(TestCase):
     def test_values_expression_alias_sql_injection(self):
         crafted_alias = """injected_name" from "expressions_company"; --"""
         msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
         )
         with self.assertRaisesMessage(ValueError, msg):
             Company.objects.values(**{crafted_alias: F("ceo__salary")})
@@ -40,8 +40,8 @@ class ValuesExpressionsTests(TestCase):
     def test_values_expression_alias_sql_injection_json_field(self):
         crafted_alias = """injected_name" from "expressions_company"; --"""
         msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
         )
         with self.assertRaisesMessage(ValueError, msg):
             JSONFieldModel.objects.values(f"data__{crafted_alias}")
Index: Django-2.2.28/tests/queries/tests.py
===================================================================
--- Django-2.2.28.orig/tests/queries/tests.py
+++ Django-2.2.28/tests/queries/tests.py
@@ -1740,8 +1740,8 @@ class Queries5Tests(TestCase):
     def test_extra_select_alias_sql_injection(self):
         crafted_alias = """injected_name" from "queries_note"; --"""
         msg = (
-            "Column aliases cannot contain whitespace characters, quotation marks, "
-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
         )
         with self.assertRaisesMessage(ValueError, msg):
             Note.objects.extra(select={crafted_alias: "1"})
openSUSE Build Service is sponsored by
Places