diff -pruN 3:5.2.4-1/debian/changelog 3:5.2.4-1ubuntu3/debian/changelog --- 3:5.2.4-1/debian/changelog 2025-07-07 17:29:43.000000000 +0000 +++ 3:5.2.4-1ubuntu3/debian/changelog 2025-11-06 08:58:31.000000000 +0000 @@ -1,3 +1,50 @@ +python-django (3:5.2.4-1ubuntu3) resolute; urgency=medium + + * SECURITY UPDATE: Potential SQL injection in QuerySet and Q objects + - debian/patches/CVE-2025-64459-1.patch: Add connects and checks for them + in django/db/models/query_utils.py. + - debian/patches/CVE-2025-64459-2.patch: Add PROHIBITED_FILTER_KWARGS and + check for them in django/db/models/query.py. + - CVE-2025-64459 + * FTBFS-test_pickle_errors_detection.patch: Fix FTBFS in + test_pickle_errors_detection test function in + tests/test_runner/test_parallel.py + + -- Hlib Korzhynskyy Thu, 06 Nov 2025 09:58:31 +0100 + +python-django (3:5.2.4-1ubuntu2) questing; urgency=medium + + * SECURITY UPDATE: Potential SQL injection + - debian/patches/CVE-2025-59681.patch: protect against SQL injection in + django/db/models/sql/query.py, tests/aggregation/tests.py, + tests/annotations/tests.py, + tests/expressions/test_queryset_values.py, tests/queries/tests.py. + - CVE-2025-59681 + * SECURITY UPDATE: Potential partial directory-traversal + - debian/patches/CVE-2025-59682.patch: validate path in + django/utils/archive.py, tests/utils_tests/test_archive.py. + - CVE-2025-59682 + + -- Marc Deslauriers Wed, 01 Oct 2025 12:49:58 -0400 + +python-django (3:5.2.4-1ubuntu1) questing; urgency=medium + + * SECURITY UPDATE: SQL injection + - debian/patches/CVE-2025-57833.patch: protected + FilteredRelation against SQL injection in column + aliases in django/db/models/sql/query.py, + tests/annotations/tests.py. + - debian/patches/fixing_test_stip_tags.patch: Adjusted + utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's + HTMLParser new behavior in tests/utils_test/test_html.py. + - debian/patches/fixing_test_parsing_errors.patch: Fixed + test_utils.tests.HTMLEqualTests.test_parsing_errors + following Python's HTMLParser fixed parsing in + tests/test_utils/tests.py. + - CVE-2025-57833 + + -- Leonidas Da Silva Barbosa Mon, 15 Sep 2025 09:13:25 -0300 + python-django (3:5.2.4-1) experimental; urgency=medium * New upstream bugfix release. diff -pruN 3:5.2.4-1/debian/control 3:5.2.4-1ubuntu3/debian/control --- 3:5.2.4-1/debian/control 2025-07-07 17:29:43.000000000 +0000 +++ 3:5.2.4-1ubuntu3/debian/control 2025-09-15 12:13:25.000000000 +0000 @@ -1,7 +1,8 @@ Source: python-django Section: python Priority: optional -Maintainer: Debian Python Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Python Team Uploaders: Luke Faraone , Raphaƫl Hertzog , diff -pruN 3:5.2.4-1/debian/patches/CVE-2025-57833.patch 3:5.2.4-1ubuntu3/debian/patches/CVE-2025-57833.patch --- 3:5.2.4-1/debian/patches/CVE-2025-57833.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu3/debian/patches/CVE-2025-57833.patch 2025-09-15 12:13:25.000000000 +0000 @@ -0,0 +1,74 @@ +From 88ff2b0ce9985476ea7d6d398d786272f97216d0 Mon Sep 17 00:00:00 2001 +From: Jake Howard +Date: Wed, 13 Aug 2025 14:13:42 +0200 +Subject: [PATCH] [5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation + against SQL injection in column aliases. + +Thanks Eyal Gabay (EyalSec) for the report. + +Backport of 958ad4b7ccc356d7c50b4162c40ff5ad08d79850 from main. +diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py +index 92a09c5..a75d9e8 100644 +--- a/django/db/models/sql/query.py ++++ b/django/db/models/sql/query.py +@@ -1696,6 +1696,7 @@ def _add_q( + return target_clause, needed_inner + + def add_filtered_relation(self, filtered_relation, alias): ++ self.check_alias(alias) + filtered_relation.alias = alias + relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( + filtered_relation.relation_name +diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py +index 6c0d7b6..060d632 100644 +--- a/tests/annotations/tests.py ++++ b/tests/annotations/tests.py +@@ -14,6 +14,7 @@ + Exists, + ExpressionWrapper, + F, ++ FilteredRelation, + FloatField, + Func, + IntegerField, +@@ -1164,6 +1165,15 @@ def test_alias_sql_injection(self): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + ++ def test_alias_filtered_relation_sql_injection(self): ++ crafted_alias = """injected_name" from "annotations_book"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) ++ + def test_alias_forbidden_chars(self): + tests = [ + 'al"ias', +@@ -1189,6 +1199,11 @@ def test_alias_forbidden_chars(self): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.annotate( ++ **{crafted_alias: FilteredRelation("authors")} ++ ) ++ + @skipUnless(connection.vendor == "postgresql", "PostgreSQL tests") + @skipUnlessDBFeature("supports_json_field") + def test_set_returning_functions(self): +@@ -1482,3 +1497,12 @@ def test_alias_sql_injection(self): + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: Value(1)}) ++ ++ def test_alias_filtered_relation_sql_injection(self): ++ crafted_alias = """injected_name" from "annotations_book"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) diff -pruN 3:5.2.4-1/debian/patches/CVE-2025-59681.patch 3:5.2.4-1ubuntu3/debian/patches/CVE-2025-59681.patch --- 3:5.2.4-1/debian/patches/CVE-2025-59681.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu3/debian/patches/CVE-2025-59681.patch 2025-10-01 16:49:52.000000000 +0000 @@ -0,0 +1,175 @@ +Backport of: + +From b4d3036c04ae71d611edecf5cfc7d4e5b5927f81 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Wed, 10 Sep 2025 09:53:52 +0200 +Subject: [PATCH 1/2] [5.2.x] Fixed CVE-2025-59681 -- Protected + QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection + in column aliases on MySQL/MariaDB. + +Thanks sw0rd1ight for the report. + +Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. +--- + django/db/models/sql/query.py | 8 ++++---- + docs/releases/4.2.25.txt | 9 ++++++++- + docs/releases/5.1.13.txt | 9 ++++++++- + docs/releases/5.2.7.txt | 9 +++++++++ + tests/aggregation/tests.py | 4 ++-- + tests/annotations/tests.py | 23 ++++++++++++----------- + tests/expressions/test_queryset_values.py | 8 ++++---- + tests/queries/tests.py | 4 ++-- + 8 files changed, 49 insertions(+), 25 deletions(-) + +diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py +index 5247616086..3a1cd73951 100644 +--- a/django/db/models/sql/query.py ++++ b/django/db/models/sql/query.py +@@ -48,9 +48,9 @@ from django.utils.tree import Node + + __all__ = ["Query", "RawQuery"] + +-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline ++# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline + # SQL comments are forbidden in column aliases. +-FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/") ++FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/") + + # Inspired from + # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS +@@ -1208,8 +1208,8 @@ class Query(BaseExpression): + def check_alias(self, alias): + if FORBIDDEN_ALIAS_PATTERN.search(alias): + raise ValueError( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, " ++ "quotation marks, semicolons, or SQL comments." + ) + + def add_annotation(self, annotation, alias, select=True): +diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py +index bf44c4d25f..2e41f19947 100644 +--- a/tests/aggregation/tests.py ++++ b/tests/aggregation/tests.py +@@ -2136,8 +2136,8 @@ class AggregateTestCase(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "aggregation_author"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Author.objects.aggregate(**{crafted_alias: Avg("age")}) +diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py +index 060d6324c7..7a12121224 100644 +--- a/tests/annotations/tests.py ++++ b/tests/annotations/tests.py +@@ -1159,8 +1159,8 @@ class NonAggregateAnnotationTestCase(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) +@@ -1168,8 +1168,8 @@ class NonAggregateAnnotationTestCase(TestCase): + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) +@@ -1186,13 +1186,14 @@ class NonAggregateAnnotationTestCase(TestCase): + "ali/*as", + "alias*/", + "alias;", +- # [] are used by MSSQL. ++ # [] and # are used by MSSQL. + "alias[", + "alias]", ++ "ali#as", + ] + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + for crafted_alias in tests: + with self.subTest(crafted_alias): +@@ -1492,8 +1493,8 @@ class AliasTests(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: Value(1)}) +@@ -1501,8 +1502,8 @@ class AliasTests(TestCase): + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) +diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py +index 47bd1358de..080ee06183 100644 +--- a/tests/expressions/test_queryset_values.py ++++ b/tests/expressions/test_queryset_values.py +@@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase): + def test_values_expression_alias_sql_injection(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Company.objects.values(**{crafted_alias: F("ceo__salary")}) +@@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase): + def test_values_expression_alias_sql_injection_json_field(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values(f"data__{crafted_alias}") +diff --git a/tests/queries/tests.py b/tests/queries/tests.py +index 38b0a5ddfa..ffaabf48a0 100644 +--- a/tests/queries/tests.py ++++ b/tests/queries/tests.py +@@ -1961,8 +1961,8 @@ class Queries5Tests(TestCase): + def test_extra_select_alias_sql_injection(self): + crafted_alias = """injected_name" from "queries_note"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Note.objects.extra(select={crafted_alias: "1"}) +-- +2.39.5 (Apple Git-154) + diff -pruN 3:5.2.4-1/debian/patches/CVE-2025-59682.patch 3:5.2.4-1ubuntu3/debian/patches/CVE-2025-59682.patch --- 3:5.2.4-1/debian/patches/CVE-2025-59682.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu3/debian/patches/CVE-2025-59682.patch 2025-10-01 16:49:56.000000000 +0000 @@ -0,0 +1,76 @@ +Backport of: + +From 3a7091babcb19f213a25dd5bf8ad90fd63c3cba0 Mon Sep 17 00:00:00 2001 +From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> +Date: Tue, 16 Sep 2025 17:13:36 +0200 +Subject: [PATCH 2/2] [5.2.x] Fixed CVE-2025-59682 -- Fixed potential partial + directory-traversal via archive.extract(). + +Thanks stackered for the report. + +Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. +--- + django/utils/archive.py | 6 +++++- + docs/releases/4.2.25.txt | 8 ++++++++ + docs/releases/5.1.13.txt | 8 ++++++++ + docs/releases/5.2.7.txt | 8 ++++++++ + tests/utils_tests/test_archive.py | 22 ++++++++++++++++++++++ + 5 files changed, 51 insertions(+), 1 deletion(-) + +diff --git a/django/utils/archive.py b/django/utils/archive.py +index 56f34c0038..c05fbcdc97 100644 +--- a/django/utils/archive.py ++++ b/django/utils/archive.py +@@ -145,7 +145,11 @@ class BaseArchive: + def target_filename(self, to_path, name): + target_path = os.path.abspath(to_path) + filename = os.path.abspath(os.path.join(target_path, name)) +- if not filename.startswith(target_path): ++ try: ++ if os.path.commonpath([target_path, filename]) != target_path: ++ raise SuspiciousOperation("Archive contains invalid path: '%s'" % name) ++ except ValueError: ++ # Different drives on Windows raises ValueError. + raise SuspiciousOperation("Archive contains invalid path: '%s'" % name) + return filename + +diff --git a/tests/utils_tests/test_archive.py b/tests/utils_tests/test_archive.py +index 89a45bc072..24e60039a5 100644 +--- a/tests/utils_tests/test_archive.py ++++ b/tests/utils_tests/test_archive.py +@@ -3,6 +3,7 @@ import stat + import sys + import tempfile + import unittest ++import zipfile + + from django.core.exceptions import SuspiciousOperation + from django.test import SimpleTestCase +@@ -94,3 +95,24 @@ class TestArchiveInvalid(SimpleTestCase): + with self.subTest(entry), tempfile.TemporaryDirectory() as tmpdir: + with self.assertRaisesMessage(SuspiciousOperation, msg % invalid_path): + archive.extract(os.path.join(archives_dir, entry), tmpdir) ++ ++ def test_extract_function_traversal_startswith(self): ++ with tempfile.TemporaryDirectory() as tmpdir: ++ base = os.path.abspath(tmpdir) ++ tarfile_handle = tempfile.NamedTemporaryFile(suffix=".zip", delete=False) ++ tar_path = tarfile_handle.name ++ ++ try: ++ tarfile_handle.close() ++ malicious_member = os.path.join(base + "abc", "evil.txt") ++ ++ with zipfile.ZipFile(tar_path, "w") as zf: ++ zf.writestr(malicious_member, "evil\n") ++ zf.writestr("test.txt", "data\n") ++ ++ with self.assertRaisesMessage( ++ SuspiciousOperation, "Archive contains invalid path" ++ ): ++ archive.extract(tar_path, base) ++ finally: ++ os.remove(tar_path) +-- +2.39.5 (Apple Git-154) + diff -pruN 3:5.2.4-1/debian/patches/CVE-2025-64459-1.patch 3:5.2.4-1ubuntu3/debian/patches/CVE-2025-64459-1.patch --- 3:5.2.4-1/debian/patches/CVE-2025-64459-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu3/debian/patches/CVE-2025-64459-1.patch 2025-11-06 08:58:31.000000000 +0000 @@ -0,0 +1,47 @@ +Backport of: + +From 251f22215061abaa5afddd8c8177cf658c8442e8 Mon Sep 17 00:00:00 2001 +From: Jacob Walls +Date: Wed, 24 Sep 2025 15:54:51 -0400 +Subject: [PATCH 2/3] [5.2.x] Fixed CVE-2025-62769 -- Prevented SQL injections + in Q/QuerySet via the _connector kwarg. + +Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon +Charette, and Jake Howard for the reviews. +--- + django/db/models/query_utils.py | 4 ++++ + docs/releases/4.2.26.txt | 7 +++++++ + docs/releases/5.1.14.txt | 7 +++++++ + docs/releases/5.2.8.txt | 7 +++++++ + tests/queries/test_q.py | 5 +++++ + 5 files changed, 30 insertions(+) + +--- python-django-5.2.4.orig/django/db/models/query_utils.py ++++ python-django-5.2.4/django/db/models/query_utils.py +@@ -48,8 +48,12 @@ class Q(tree.Node): + XOR = "XOR" + default = AND + conditional = True ++ connectors = (None, AND, OR, XOR) + + def __init__(self, *args, _connector=None, _negated=False, **kwargs): ++ if _connector not in self.connectors: ++ connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:]) ++ raise ValueError(f"_connector must be one of {connector_reprs}, or None.") + super().__init__( + children=[*args, *sorted(kwargs.items())], + connector=_connector, +--- python-django-5.2.4.orig/tests/queries/test_q.py ++++ python-django-5.2.4/tests/queries/test_q.py +@@ -265,6 +265,11 @@ class QTests(SimpleTestCase): + Q(*items, _connector=connector), + ) + ++ def test_connector_validation(self): ++ msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None." ++ with self.assertRaisesMessage(ValueError, msg): ++ Q(_connector="evil") ++ + def test_referenced_base_fields(self): + # Make sure Q.referenced_base_fields retrieves all base fields from + # both filters and F expressions. diff -pruN 3:5.2.4-1/debian/patches/CVE-2025-64459-2.patch 3:5.2.4-1ubuntu3/debian/patches/CVE-2025-64459-2.patch --- 3:5.2.4-1/debian/patches/CVE-2025-64459-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu3/debian/patches/CVE-2025-64459-2.patch 2025-11-06 08:58:31.000000000 +0000 @@ -0,0 +1,49 @@ +From b13864f3024abe7afd316081cdf7e67b3b984987 Mon Sep 17 00:00:00 2001 +From: Jacob Walls +Date: Wed, 24 Sep 2025 15:56:03 -0400 +Subject: [PATCH 3/3] [5.2.x] Refs CVE-2025-62769 -- Avoided propagating + invalid arguments to Q on dictionary expansion. + +--- + django/db/models/query.py | 5 +++++ + tests/queries/tests.py | 8 ++++++++ + 2 files changed, 13 insertions(+) + +--- python-django-5.2.4.orig/django/db/models/query.py ++++ python-django-5.2.4/django/db/models/query.py +@@ -42,6 +42,8 @@ MAX_GET_RESULTS = 21 + # The maximum number of items to display in a QuerySet.__repr__ + REPR_OUTPUT_SIZE = 20 + ++PROHIBITED_FILTER_KWARGS = frozenset(["_connector", "_negated"]) ++ + + class BaseIterable: + def __init__( +@@ -1512,6 +1514,9 @@ class QuerySet(AltersData): + return clone + + def _filter_or_exclude_inplace(self, negate, args, kwargs): ++ if invalid_kwargs := PROHIBITED_FILTER_KWARGS.intersection(kwargs): ++ invalid_kwargs_str = ", ".join(f"'{k}'" for k in sorted(invalid_kwargs)) ++ raise TypeError(f"The following kwargs are invalid: {invalid_kwargs_str}") + if negate: + self._query.add_q(~Q(*args, **kwargs)) + else: +--- python-django-5.2.4.orig/tests/queries/tests.py ++++ python-django-5.2.4/tests/queries/tests.py +@@ -4506,6 +4506,14 @@ class TestInvalidValuesRelation(SimpleTe + Annotation.objects.filter(tag__in=[123, "abc"]) + + ++class TestInvalidFilterArguments(TestCase): ++ def test_filter_rejects_invalid_arguments(self): ++ school = School.objects.create() ++ msg = "The following kwargs are invalid: '_connector', '_negated'" ++ with self.assertRaisesMessage(TypeError, msg): ++ School.objects.filter(pk=school.pk, _negated=True, _connector="evil") ++ ++ + class TestTicket24605(TestCase): + def test_ticket_24605(self): + """ diff -pruN 3:5.2.4-1/debian/patches/FTBFS-test_pickle_errors_detection.patch 3:5.2.4-1ubuntu3/debian/patches/FTBFS-test_pickle_errors_detection.patch --- 3:5.2.4-1/debian/patches/FTBFS-test_pickle_errors_detection.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu3/debian/patches/FTBFS-test_pickle_errors_detection.patch 2025-11-06 08:58:31.000000000 +0000 @@ -0,0 +1,47 @@ +From 548209e620b3ca34396a360453f07c8dbb8aa6c7 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Tue, 21 Oct 2025 21:11:44 +0200 +Subject: [PATCH] Made RemoteTestResultTest.test_pickle_errors_detection() + compatible with tblib 3.2+. + +tblib 3.2+ makes exception subclasses with __init__() and the default +__reduce__() picklable. This broke the test for +RemoteTestResult._confirm_picklable(), which expects a specific +exception to fail unpickling. + +https://github.com/ionelmc/python-tblib/blob/master/CHANGELOG.rst#320-2025-10-21 + +This fix defines ExceptionThatFailsUnpickling.__reduce__() in a way +that pickle.dumps(obj) succeeds, but pickle.loads(pickle.dumps(obj)) +raises TypeError. + +Refs #27301. This preserves the intent of the regression test from +52188a5ca6bafea0a66f17baacb315d61c7b99cd without skipping it. +--- + tests/test_runner/test_parallel.py | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- python-django-5.2.4.orig/tests/test_runner/test_parallel.py ++++ python-django-5.2.4/tests/test_runner/test_parallel.py +@@ -31,6 +31,12 @@ class ExceptionThatFailsUnpickling(Excep + def __init__(self, arg): + super().__init__() + ++ def __reduce__(self): ++ # tblib 3.2+ makes exception subclasses picklable by default. ++ # Return (cls, ()) so the constructor fails on unpickle, preserving ++ # the needed behavior for test_pickle_errors_detection. ++ return (self.__class__, ()) ++ + + class ParallelTestRunnerTest(SimpleTestCase): + """ +@@ -166,6 +172,8 @@ class RemoteTestResultTest(SimpleTestCas + result = RemoteTestResult() + result._confirm_picklable(picklable_error) + ++ # The exception can be pickled but not unpickled. ++ pickle.dumps(not_unpicklable_error) + msg = "__init__() missing 1 required positional argument" + with self.assertRaisesMessage(TypeError, msg): + result._confirm_picklable(not_unpicklable_error) diff -pruN 3:5.2.4-1/debian/patches/fixing_test_parsing_errors.patch 3:5.2.4-1ubuntu3/debian/patches/fixing_test_parsing_errors.patch --- 3:5.2.4-1/debian/patches/fixing_test_parsing_errors.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu3/debian/patches/fixing_test_parsing_errors.patch 2025-09-15 12:13:25.000000000 +0000 @@ -0,0 +1,27 @@ +From e4515dad7a6d953c0bd2414127ba36e1446ff41a Mon Sep 17 00:00:00 2001 +From: Natalia <124304+nessita@users.noreply.github.com> +Date: Mon, 21 Jul 2025 15:23:32 -0300 +Subject: [PATCH] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors + following Python's HTMLParser fixed parsing. + +Further details about Python changes can be found in: +https://github.com/python/cpython/commit/0243f97cbadec8d985e63b1daec5d1cbc850cae3. + +Thank you Clifford Gama for the thorough review! +--- + tests/test_utils/tests.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: python-django-5.2.4/tests/test_utils/tests.py +=================================================================== +--- python-django-5.2.4.orig/tests/test_utils/tests.py ++++ python-django-5.2.4/tests/test_utils/tests.py +@@ -948,7 +948,7 @@ class HTMLEqualTests(SimpleTestCase): + "('Unexpected end tag `div` (Line 1, Column 6)', (1, 6))" + ) + with self.assertRaisesMessage(AssertionError, error_msg): +- self.assertHTMLEqual("< div>", "
") ++ self.assertHTMLEqual("< div>", "
") + with self.assertRaises(HTMLParseError): + parse_html("

") + diff -pruN 3:5.2.4-1/debian/patches/fixing_test_strip_tags.patch 3:5.2.4-1ubuntu3/debian/patches/fixing_test_strip_tags.patch --- 3:5.2.4-1/debian/patches/fixing_test_strip_tags.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu3/debian/patches/fixing_test_strip_tags.patch 2025-09-15 12:13:25.000000000 +0000 @@ -0,0 +1,64 @@ +From 2980627502c84a9fd09272e1349dc574a2ff1fb1 Mon Sep 17 00:00:00 2001 +From: Natalia <124304+nessita@users.noreply.github.com> +Date: Mon, 14 Jul 2025 14:45:03 -0300 +Subject: [PATCH] Fixed #36499 -- Adjusted + utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's + HTMLParser new behavior. + +Python fixed a quadratic complexity processing for HTMLParser in: +https://github.com/python/cpython/commit/6eb6c5db. +--- + tests/utils_tests/test_html.py | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +Index: python-django-5.2.4/tests/utils_tests/test_html.py +=================================================================== +--- python-django-5.2.4.orig/tests/utils_tests/test_html.py ++++ python-django-5.2.4/tests/utils_tests/test_html.py +@@ -1,4 +1,5 @@ + import os ++import sys + from datetime import datetime + + from django.core.exceptions import SuspiciousOperation +@@ -117,6 +118,21 @@ class TestUtilsHtml(SimpleTestCase): + self.check_output(linebreaks, lazystr(value), output) + + def test_strip_tags(self): ++ # Python fixed a quadratic-time issue in HTMLParser in 3.13.6, 3.12.12, ++ # 3.11.14, 3.10.19, and 3.9.24. The fix slightly changes HTMLParser's ++ # output, so tests for particularly malformed input must handle both ++ # old and new results. The check below is temporary until all supported ++ # Python versions and CI workers include the fix. See: ++ # https://github.com/python/cpython/commit/6eb6c5db ++ min_fixed = { ++ (3, 14): (3, 14), ++ (3, 13): (3, 13, 6), ++ (3, 12): (3, 12, 12), ++ (3, 11): (3, 11, 14), ++ (3, 10): (3, 10, 19), ++ (3, 9): (3, 9, 24), ++ } ++ htmlparser_fixed = sys.version_info >= min_fixed[sys.version_info[:2]] + items = ( + ( + "

See: 'é is an apostrophe followed by e acute

", +@@ -144,10 +160,16 @@ class TestUtilsHtml(SimpleTestCase): + ("&gotcha&#;<>", "&gotcha&#;<>"), + ("ript>test</script>", "ript>test"), + ("&h", "alert()h"), +- (">" if htmlparser_fixed else ">br>br>br>X", "XX"), + ("<" * 50 + "a>" * 50, ""), +- (">" + "" + "" + "" if htmlparser_fixed else ">" + "