Changes between Version 1 and Version 2 of Ticket #36912
- Timestamp:
- Feb 9, 2026, 4:43:25 PM (3 hours ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #36912 – Description
v1 v2 1 1 In 98e642c69181c942d60a10ca0085d48c6b3068bb, we mitigated a SQL injection vector for user-controlled arguments to `filter()` and friends (CVE-2025-64459) by adding validation for the `_connector` argument. 2 2 3 We deliberately avoided adding the same validation to `Q.create()`, because `Q.create` is an undocumented internal not to be used with user-controlled field names .3 We deliberately avoided adding the same validation to `Q.create()`, because `Q.create` is an undocumented internal not to be used with user-controlled field names and was created specifically for the purpose of speed. 4 4 5 5 The Security Team then received more than one report extrapolating from CVE-2025-64459, suggesting that `Q.create` was missing the same validation.