mirror of https://github.com/django/django.git
Refs CVE-2022-34265 -- Unified DatabaseOperations._convert_*_to_tz() hook names.
This commit is contained in:
parent
eb3699ea77
commit
5e2f4ddf29
|
@ -66,7 +66,7 @@ class DatabaseOperations(BaseDatabaseOperations):
|
||||||
return f"EXTRACT({lookup_type} FROM {sql})", params
|
return f"EXTRACT({lookup_type} FROM {sql})", params
|
||||||
|
|
||||||
def date_trunc_sql(self, lookup_type, sql, params, tzname=None):
|
def date_trunc_sql(self, lookup_type, sql, params, tzname=None):
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
fields = {
|
fields = {
|
||||||
"year": "%Y-01-01",
|
"year": "%Y-01-01",
|
||||||
"month": "%Y-%m-01",
|
"month": "%Y-%m-01",
|
||||||
|
@ -89,7 +89,7 @@ class DatabaseOperations(BaseDatabaseOperations):
|
||||||
tzname, sign, offset = split_tzname_delta(tzname)
|
tzname, sign, offset = split_tzname_delta(tzname)
|
||||||
return f"{sign}{offset}" if offset else tzname
|
return f"{sign}{offset}" if offset else tzname
|
||||||
|
|
||||||
def _convert_field_to_tz(self, sql, params, tzname):
|
def _convert_sql_to_tz(self, sql, params, tzname):
|
||||||
if tzname and settings.USE_TZ and self.connection.timezone_name != tzname:
|
if tzname and settings.USE_TZ and self.connection.timezone_name != tzname:
|
||||||
return f"CONVERT_TZ({sql}, %s, %s)", (
|
return f"CONVERT_TZ({sql}, %s, %s)", (
|
||||||
*params,
|
*params,
|
||||||
|
@ -99,19 +99,19 @@ class DatabaseOperations(BaseDatabaseOperations):
|
||||||
return sql, params
|
return sql, params
|
||||||
|
|
||||||
def datetime_cast_date_sql(self, sql, params, tzname):
|
def datetime_cast_date_sql(self, sql, params, tzname):
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
return f"DATE({sql})", params
|
return f"DATE({sql})", params
|
||||||
|
|
||||||
def datetime_cast_time_sql(self, sql, params, tzname):
|
def datetime_cast_time_sql(self, sql, params, tzname):
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
return f"TIME({sql})", params
|
return f"TIME({sql})", params
|
||||||
|
|
||||||
def datetime_extract_sql(self, lookup_type, sql, params, tzname):
|
def datetime_extract_sql(self, lookup_type, sql, params, tzname):
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
return self.date_extract_sql(lookup_type, sql, params)
|
return self.date_extract_sql(lookup_type, sql, params)
|
||||||
|
|
||||||
def datetime_trunc_sql(self, lookup_type, sql, params, tzname):
|
def datetime_trunc_sql(self, lookup_type, sql, params, tzname):
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
fields = ["year", "month", "day", "hour", "minute", "second"]
|
fields = ["year", "month", "day", "hour", "minute", "second"]
|
||||||
format = ("%Y-", "%m", "-%d", " %H:", "%i", ":%s")
|
format = ("%Y-", "%m", "-%d", " %H:", "%i", ":%s")
|
||||||
format_def = ("0000-", "01", "-01", " 00:", "00", ":00")
|
format_def = ("0000-", "01", "-01", " 00:", "00", ":00")
|
||||||
|
@ -136,7 +136,7 @@ class DatabaseOperations(BaseDatabaseOperations):
|
||||||
return sql, params
|
return sql, params
|
||||||
|
|
||||||
def time_trunc_sql(self, lookup_type, sql, params, tzname=None):
|
def time_trunc_sql(self, lookup_type, sql, params, tzname=None):
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
fields = {
|
fields = {
|
||||||
"hour": "%H:00:00",
|
"hour": "%H:00:00",
|
||||||
"minute": "%H:%i:00",
|
"minute": "%H:%i:00",
|
||||||
|
|
|
@ -105,7 +105,7 @@ END;
|
||||||
return extract_sql, (*params, extract_param)
|
return extract_sql, (*params, extract_param)
|
||||||
|
|
||||||
def date_trunc_sql(self, lookup_type, sql, params, tzname=None):
|
def date_trunc_sql(self, lookup_type, sql, params, tzname=None):
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
# https://docs.oracle.com/en/database/oracle/oracle-database/21/sqlrf/ROUND-and-TRUNC-Date-Functions.html
|
# https://docs.oracle.com/en/database/oracle/oracle-database/21/sqlrf/ROUND-and-TRUNC-Date-Functions.html
|
||||||
trunc_param = None
|
trunc_param = None
|
||||||
if lookup_type in ("year", "month"):
|
if lookup_type in ("year", "month"):
|
||||||
|
@ -128,7 +128,7 @@ END;
|
||||||
tzname, sign, offset = split_tzname_delta(tzname)
|
tzname, sign, offset = split_tzname_delta(tzname)
|
||||||
return f"{sign}{offset}" if offset else tzname
|
return f"{sign}{offset}" if offset else tzname
|
||||||
|
|
||||||
def _convert_field_to_tz(self, sql, params, tzname):
|
def _convert_sql_to_tz(self, sql, params, tzname):
|
||||||
if not (settings.USE_TZ and tzname):
|
if not (settings.USE_TZ and tzname):
|
||||||
return sql, params
|
return sql, params
|
||||||
if not self._tzname_re.match(tzname):
|
if not self._tzname_re.match(tzname):
|
||||||
|
@ -147,13 +147,13 @@ END;
|
||||||
return sql, params
|
return sql, params
|
||||||
|
|
||||||
def datetime_cast_date_sql(self, sql, params, tzname):
|
def datetime_cast_date_sql(self, sql, params, tzname):
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
return f"TRUNC({sql})", params
|
return f"TRUNC({sql})", params
|
||||||
|
|
||||||
def datetime_cast_time_sql(self, sql, params, tzname):
|
def datetime_cast_time_sql(self, sql, params, tzname):
|
||||||
# Since `TimeField` values are stored as TIMESTAMP change to the
|
# Since `TimeField` values are stored as TIMESTAMP change to the
|
||||||
# default date and convert the field to the specified timezone.
|
# default date and convert the field to the specified timezone.
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
convert_datetime_sql = (
|
convert_datetime_sql = (
|
||||||
f"TO_TIMESTAMP(CONCAT('1900-01-01 ', TO_CHAR({sql}, 'HH24:MI:SS.FF')), "
|
f"TO_TIMESTAMP(CONCAT('1900-01-01 ', TO_CHAR({sql}, 'HH24:MI:SS.FF')), "
|
||||||
f"'YYYY-MM-DD HH24:MI:SS.FF')"
|
f"'YYYY-MM-DD HH24:MI:SS.FF')"
|
||||||
|
@ -164,11 +164,11 @@ END;
|
||||||
)
|
)
|
||||||
|
|
||||||
def datetime_extract_sql(self, lookup_type, sql, params, tzname):
|
def datetime_extract_sql(self, lookup_type, sql, params, tzname):
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
return self.date_extract_sql(lookup_type, sql, params)
|
return self.date_extract_sql(lookup_type, sql, params)
|
||||||
|
|
||||||
def datetime_trunc_sql(self, lookup_type, sql, params, tzname):
|
def datetime_trunc_sql(self, lookup_type, sql, params, tzname):
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
# https://docs.oracle.com/en/database/oracle/oracle-database/21/sqlrf/ROUND-and-TRUNC-Date-Functions.html
|
# https://docs.oracle.com/en/database/oracle/oracle-database/21/sqlrf/ROUND-and-TRUNC-Date-Functions.html
|
||||||
trunc_param = None
|
trunc_param = None
|
||||||
if lookup_type in ("year", "month"):
|
if lookup_type in ("year", "month"):
|
||||||
|
@ -192,7 +192,7 @@ END;
|
||||||
# The implementation is similar to `datetime_trunc_sql` as both
|
# The implementation is similar to `datetime_trunc_sql` as both
|
||||||
# `DateTimeField` and `TimeField` are stored as TIMESTAMP where
|
# `DateTimeField` and `TimeField` are stored as TIMESTAMP where
|
||||||
# the date part of the later is ignored.
|
# the date part of the later is ignored.
|
||||||
sql, params = self._convert_field_to_tz(sql, params, tzname)
|
sql, params = self._convert_sql_to_tz(sql, params, tzname)
|
||||||
trunc_param = None
|
trunc_param = None
|
||||||
if lookup_type == "hour":
|
if lookup_type == "hour":
|
||||||
trunc_param = "HH24"
|
trunc_param = "HH24"
|
||||||
|
|
|
@ -459,6 +459,10 @@ backends.
|
||||||
``DatabaseOperations.insert_statement()`` method is replaced by
|
``DatabaseOperations.insert_statement()`` method is replaced by
|
||||||
``on_conflict`` that accepts ``django.db.models.constants.OnConflict``.
|
``on_conflict`` that accepts ``django.db.models.constants.OnConflict``.
|
||||||
|
|
||||||
|
* ``DatabaseOperations._convert_field_to_tz()`` is replaced by
|
||||||
|
``DatabaseOperations._convert_sql_to_tz()`` that accepts the ``sql``,
|
||||||
|
``params``, and ``tzname`` arguments.
|
||||||
|
|
||||||
* Several date and time methods on ``DatabaseOperations`` now take ``sql`` and
|
* Several date and time methods on ``DatabaseOperations`` now take ``sql`` and
|
||||||
``params`` arguments instead of ``field_name`` and return 2-tuple containing
|
``params`` arguments instead of ``field_name`` and return 2-tuple containing
|
||||||
some SQL and the parameters to be interpolated into that SQL. The changed
|
some SQL and the parameters to be interpolated into that SQL. The changed
|
||||||
|
|
Loading…
Reference in New Issue