p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Moved indexes in ArrayField's Index and Slice transforms to SQL params. 

Follow up to 7deeabc7c7.

These lookups aren't vulnerable to SQL injection because both accept
only integer indexes. It is a part of good practices.
This commit is contained in:
Mariusz Felisiak 2019-08-01 11:48:58 +02:00
parent 0e02e496cd
commit 05964b2198
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
django/contrib/postgres/fields/array.py
View File

@ -262,7 +262,7 @@ class IndexTransform(Transform):
def as_sql(self, compiler, connection):
lhs, params = compiler.compile(self.lhs)
return '%s[%s]' % (lhs, self.index), params
return '%s[%%s]' % lhs, params + [self.index]
@property
def output_field(self):
@ -288,7 +288,7 @@ class SliceTransform(Transform):
def as_sql(self, compiler, connection):
lhs, params = compiler.compile(self.lhs)
return '%s[%s:%s]' % (lhs, self.start, self.end), params
return '%s[%%s:%%s]' % lhs, params + [self.start, self.end]
class SliceTransformFactory: