[oe] [meta-python][krikstone][PATCH 2/2 v2] python3-django: Fix missing JSONField in django.db.models

Tue, 13 Jan 2026 18:43:40 -0800 

From: Haixiao Yan <[email protected]>

Fix the following error introduced by CVE-2024-42005.patch:

AttributeError: module 'django.db.models' has no attribute 'JSONField'

The patch assumes JSONField is available from django.db.models, which
is not the case for this Django version.

Revert the changes in the following files to restore compatibility:
tests/expressions/models.py
tests/expressions/test_queryset_values.py

Signed-off-by: Haixiao Yan <[email protected]>
---
v2: update patch Upstream-Status

 ...ix-missing-JSONField-in-django.db.mo.patch | 77 +++++++++++++++++++
 .../python/python3-django_2.2.28.bb           |  1 +
 2 files changed, 78 insertions(+)
 create mode 100644 
meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch

diff --git 
a/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch
 
b/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch
new file mode 100644
index 000000000000..95a31305a40b
--- /dev/null
+++ 
b/meta-python/recipes-devtools/python/python3-django/Fix-missing-JSONField-in-django.db.mo.patch
@@ -0,0 +1,77 @@
+From c019f2cb6fbe266e09c71cd890a22cbce3769b05 Mon Sep 17 00:00:00 2001
+From: Haixiao Yan <[email protected]>
+Date: Tue, 13 Jan 2026 14:44:32 +0800
+Subject: [PATCH] python3-django: Fix missing JSONField in django.db.models
+
+Fix the following error introduced by CVE-2024-42005.patch:
+
+AttributeError: module 'django.db.models' has no attribute 'JSONField'
+
+The patch assumes JSONField is available from django.db.models, which
+is not the case for this Django version.
+
+Revert the changes in the following files to restore compatibility:
+tests/expressions/models.py
+tests/expressions/test_queryset_values.py
+
+Upstream-Status: Inappropriate [Fix the regression in the previous fix for 
CVE-2024-42005]
+
+Signed-off-by: Haixiao Yan <[email protected]>
+---
+ tests/expressions/models.py               |  7 -------
+ tests/expressions/test_queryset_values.py | 17 ++---------------
+ 2 files changed, 2 insertions(+), 22 deletions(-)
+
+diff --git a/tests/expressions/models.py b/tests/expressions/models.py
+index fb8093849cba..33f7850ac16e 100644
+--- a/tests/expressions/models.py
++++ b/tests/expressions/models.py
+@@ -97,10 +97,3 @@ class UUID(models.Model):
+ 
+     def __str__(self):
+         return "%s" % self.uuid
+-
+-
+-class JSONFieldModel(models.Model):
+-    data = models.JSONField(null=True)
+-
+-    class Meta:
+-        required_db_features = {"supports_json_field"}
+diff --git a/tests/expressions/test_queryset_values.py 
b/tests/expressions/test_queryset_values.py
+index bd52b8efc194..0804531869d9 100644
+--- a/tests/expressions/test_queryset_values.py
++++ b/tests/expressions/test_queryset_values.py
+@@ -1,8 +1,8 @@
+ from django.db.models.aggregates import Sum
+ from django.db.models.expressions import F
+-from django.test import TestCase, skipUnlessDBFeature
++from django.test import TestCase
+ 
+-from .models import Company, Employee, JSONFieldModel
++from .models import Company, Employee
+ 
+ 
+ class ValuesExpressionsTests(TestCase):
+@@ -36,19 +36,6 @@ class ValuesExpressionsTests(TestCase):
+         with self.assertRaisesMessage(ValueError, msg):
+             Company.objects.values(**{crafted_alias: F("ceo__salary")})
+ 
+-    @skipUnlessDBFeature("supports_json_field")
+-    def test_values_expression_alias_sql_injection_json_field(self):
+-        crafted_alias = """injected_name" from "expressions_company"; --"""
+-        msg = (
+-            "Column aliases cannot contain whitespace characters, quotation 
marks, "
+-            "semicolons, or SQL comments."
+-        )
+-        with self.assertRaisesMessage(ValueError, msg):
+-            JSONFieldModel.objects.values(f"data__{crafted_alias}")
+-
+-        with self.assertRaisesMessage(ValueError, msg):
+-            JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
+-
+     def test_values_expression_group_by(self):
+         # values() applies annotate() first, so values selected are grouped by
+         # id, not firstname.
+-- 
+2.34.1
+
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb 
b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index f2bb1de4f247..8e826b9b619b 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -33,6 +33,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
             file://CVE-2025-32873.patch \
             file://CVE-2025-64459.patch \
             file://Fix-undefined-_lazy_re_compile.patch \
+            file://Fix-missing-JSONField-in-django.db.mo.patch \
            "
 
 SRC_URI[sha256sum] = 
"0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123444): 
https://lists.openembedded.org/g/openembedded-devel/message/123444
Mute This Topic: https://lists.openembedded.org/mt/117255624/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to