From f0a7470e405cb237e8b5676fd10f1ea482787baf Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Sun, 8 Feb 2009 11:14:56 +0000 Subject: [PATCH] Fixed #10160 -- Modified evaluation of F() expressions to protect against potential SQL injection attacks. Thanks to Ian Kelly for the suggestion and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/db/models/sql/expressions.py | 5 +---- django/db/models/sql/where.py | 6 +++--- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/django/db/models/sql/expressions.py b/django/db/models/sql/expressions.py index 878f13bbf7..ef9fcb00c3 100644 --- a/django/db/models/sql/expressions.py +++ b/django/db/models/sql/expressions.py @@ -64,10 +64,7 @@ class SQLEvaluator(object): if hasattr(child, 'evaluate'): sql, params = child.evaluate(self, qn) else: - try: - sql, params = qn(child), () - except: - sql, params = str(child), () + sql, params = '%s', (child,) if hasattr(child, 'children') > 1: format = '(%s)' diff --git a/django/db/models/sql/where.py b/django/db/models/sql/where.py index d97112e9f3..1d4df127fe 100644 --- a/django/db/models/sql/where.py +++ b/django/db/models/sql/where.py @@ -160,10 +160,10 @@ class WhereNode(tree.Node): extra = '' if lookup_type in connection.operators: - format = "%s %%s %s" % (connection.ops.lookup_cast(lookup_type), - extra) + format = "%s %%s %%s" % (connection.ops.lookup_cast(lookup_type),) return (format % (field_sql, - connection.operators[lookup_type] % cast_sql), params) + connection.operators[lookup_type] % cast_sql, + extra), params) if lookup_type == 'in': if not value_annot: