p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refs CVE-2022-34265 -- Unified DatabaseOperations._convert_*_to_tz() hook names.

This commit is contained in:
Mariusz Felisiak 2022-07-09 13:02:07 +02:00 committed by GitHub
parent eb3699ea77
commit 5e2f4ddf29
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
django/db/backends/mysql/operations.py
View File

@ -66,7 +66,7 @@ class DatabaseOperations(BaseDatabaseOperations):
return f"EXTRACT({lookup_type} FROM {sql})", params return f"EXTRACT({lookup_type} FROM {sql})", params
def date_trunc_sql(self, lookup_type, sql, params, tzname=None): def date_trunc_sql(self, lookup_type, sql, params, tzname=None):
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
fields = { fields = {
"year": "%Y-01-01", "year": "%Y-01-01",
"month": "%Y-%m-01", "month": "%Y-%m-01",
@ -89,7 +89,7 @@ class DatabaseOperations(BaseDatabaseOperations):
tzname, sign, offset = split_tzname_delta(tzname) tzname, sign, offset = split_tzname_delta(tzname)
return f"{sign}{offset}" if offset else tzname return f"{sign}{offset}" if offset else tzname
def _convert_field_to_tz(self, sql, params, tzname): def _convert_sql_to_tz(self, sql, params, tzname):
if tzname and settings.USE_TZ and self.connection.timezone_name != tzname: if tzname and settings.USE_TZ and self.connection.timezone_name != tzname:
return f"CONVERT_TZ({sql}, %s, %s)", ( return f"CONVERT_TZ({sql}, %s, %s)", (
*params, *params,
@ -99,19 +99,19 @@ class DatabaseOperations(BaseDatabaseOperations):
return sql, params return sql, params
def datetime_cast_date_sql(self, sql, params, tzname): def datetime_cast_date_sql(self, sql, params, tzname):
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
return f"DATE({sql})", params return f"DATE({sql})", params
def datetime_cast_time_sql(self, sql, params, tzname): def datetime_cast_time_sql(self, sql, params, tzname):
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
return f"TIME({sql})", params return f"TIME({sql})", params
def datetime_extract_sql(self, lookup_type, sql, params, tzname): def datetime_extract_sql(self, lookup_type, sql, params, tzname):
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
return self.date_extract_sql(lookup_type, sql, params) return self.date_extract_sql(lookup_type, sql, params)
def datetime_trunc_sql(self, lookup_type, sql, params, tzname): def datetime_trunc_sql(self, lookup_type, sql, params, tzname):
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
fields = ["year", "month", "day", "hour", "minute", "second"] fields = ["year", "month", "day", "hour", "minute", "second"]
format = ("%Y-", "%m", "-%d", " %H:", "%i", ":%s") format = ("%Y-", "%m", "-%d", " %H:", "%i", ":%s")
format_def = ("0000-", "01", "-01", " 00:", "00", ":00") format_def = ("0000-", "01", "-01", " 00:", "00", ":00")
@ -136,7 +136,7 @@ class DatabaseOperations(BaseDatabaseOperations):
return sql, params return sql, params
def time_trunc_sql(self, lookup_type, sql, params, tzname=None): def time_trunc_sql(self, lookup_type, sql, params, tzname=None):
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
fields = { fields = {
"hour": "%H:00:00", "hour": "%H:00:00",
"minute": "%H:%i:00", "minute": "%H:%i:00",

14
django/db/backends/oracle/operations.py
View File

@ -105,7 +105,7 @@ END;
return extract_sql, (*params, extract_param) return extract_sql, (*params, extract_param)
def date_trunc_sql(self, lookup_type, sql, params, tzname=None): def date_trunc_sql(self, lookup_type, sql, params, tzname=None):
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
# https://docs.oracle.com/en/database/oracle/oracle-database/21/sqlrf/ROUND-and-TRUNC-Date-Functions.html # https://docs.oracle.com/en/database/oracle/oracle-database/21/sqlrf/ROUND-and-TRUNC-Date-Functions.html
trunc_param = None trunc_param = None
if lookup_type in ("year", "month"): if lookup_type in ("year", "month"):
@ -128,7 +128,7 @@ END;
tzname, sign, offset = split_tzname_delta(tzname) tzname, sign, offset = split_tzname_delta(tzname)
return f"{sign}{offset}" if offset else tzname return f"{sign}{offset}" if offset else tzname
def _convert_field_to_tz(self, sql, params, tzname): def _convert_sql_to_tz(self, sql, params, tzname):
if not (settings.USE_TZ and tzname): if not (settings.USE_TZ and tzname):
return sql, params return sql, params
if not self._tzname_re.match(tzname): if not self._tzname_re.match(tzname):
@ -147,13 +147,13 @@ END;
return sql, params return sql, params
def datetime_cast_date_sql(self, sql, params, tzname): def datetime_cast_date_sql(self, sql, params, tzname):
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
return f"TRUNC({sql})", params return f"TRUNC({sql})", params
def datetime_cast_time_sql(self, sql, params, tzname): def datetime_cast_time_sql(self, sql, params, tzname):
# Since `TimeField` values are stored as TIMESTAMP change to the # Since `TimeField` values are stored as TIMESTAMP change to the
# default date and convert the field to the specified timezone. # default date and convert the field to the specified timezone.
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
convert_datetime_sql = ( convert_datetime_sql = (
f"TO_TIMESTAMP(CONCAT('1900-01-01 ', TO_CHAR({sql}, 'HH24:MI:SS.FF')), " f"TO_TIMESTAMP(CONCAT('1900-01-01 ', TO_CHAR({sql}, 'HH24:MI:SS.FF')), "
f"'YYYY-MM-DD HH24:MI:SS.FF')" f"'YYYY-MM-DD HH24:MI:SS.FF')"
@ -164,11 +164,11 @@ END;
) )
def datetime_extract_sql(self, lookup_type, sql, params, tzname): def datetime_extract_sql(self, lookup_type, sql, params, tzname):
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
return self.date_extract_sql(lookup_type, sql, params) return self.date_extract_sql(lookup_type, sql, params)
def datetime_trunc_sql(self, lookup_type, sql, params, tzname): def datetime_trunc_sql(self, lookup_type, sql, params, tzname):
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
# https://docs.oracle.com/en/database/oracle/oracle-database/21/sqlrf/ROUND-and-TRUNC-Date-Functions.html # https://docs.oracle.com/en/database/oracle/oracle-database/21/sqlrf/ROUND-and-TRUNC-Date-Functions.html
trunc_param = None trunc_param = None
if lookup_type in ("year", "month"): if lookup_type in ("year", "month"):
@ -192,7 +192,7 @@ END;
# The implementation is similar to `datetime_trunc_sql` as both # The implementation is similar to `datetime_trunc_sql` as both
# `DateTimeField` and `TimeField` are stored as TIMESTAMP where # `DateTimeField` and `TimeField` are stored as TIMESTAMP where
# the date part of the later is ignored. # the date part of the later is ignored.
sql, params = self._convert_field_to_tz(sql, params, tzname) sql, params = self._convert_sql_to_tz(sql, params, tzname)
trunc_param = None trunc_param = None
if lookup_type == "hour": if lookup_type == "hour":
trunc_param = "HH24" trunc_param = "HH24"

4
docs/releases/4.1.txt
View File

@ -459,6 +459,10 @@ backends.
``DatabaseOperations.insert_statement()`` method is replaced by ``DatabaseOperations.insert_statement()`` method is replaced by
``on_conflict`` that accepts ``django.db.models.constants.OnConflict``. ``on_conflict`` that accepts ``django.db.models.constants.OnConflict``.
* ``DatabaseOperations._convert_field_to_tz()`` is replaced by
``DatabaseOperations._convert_sql_to_tz()`` that accepts the ``sql``,
``params``, and ``tzname`` arguments.
* Several date and time methods on ``DatabaseOperations`` now take ``sql`` and * Several date and time methods on ``DatabaseOperations`` now take ``sql`` and
``params`` arguments instead of ``field_name`` and return 2-tuple containing ``params`` arguments instead of ``field_name`` and return 2-tuple containing
some SQL and the parameters to be interpolated into that SQL. The changed some SQL and the parameters to be interpolated into that SQL. The changed