Fixed #10160 -- Modified evaluation of F() expressions to protect against potential SQL injection attacks. Thanks to Ian Kelly for the suggestion and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee 2009-02-08 11:14:56 +00:00
parent d4a3a4b0ca
commit f0a7470e40
2 changed files with 4 additions and 7 deletions

View File

@ -64,10 +64,7 @@ class SQLEvaluator(object):
if hasattr(child, 'evaluate'): if hasattr(child, 'evaluate'):
sql, params = child.evaluate(self, qn) sql, params = child.evaluate(self, qn)
else: else:
try: sql, params = '%s', (child,)
sql, params = qn(child), ()
except:
sql, params = str(child), ()
if hasattr(child, 'children') > 1: if hasattr(child, 'children') > 1:
format = '(%s)' format = '(%s)'

View File

@ -160,10 +160,10 @@ class WhereNode(tree.Node):
extra = '' extra = ''
if lookup_type in connection.operators: if lookup_type in connection.operators:
format = "%s %%s %s" % (connection.ops.lookup_cast(lookup_type), format = "%s %%s %%s" % (connection.ops.lookup_cast(lookup_type),)
extra)
return (format % (field_sql, return (format % (field_sql,
connection.operators[lookup_type] % cast_sql), params) connection.operators[lookup_type] % cast_sql,
extra), params)
if lookup_type == 'in': if lookup_type == 'in':
if not value_annot: if not value_annot: