Kaydet (Commit) f0a7470e authored tarafından Russell Keith-Magee's avatar Russell Keith-Magee

Fixed #10160 -- Modified evaluation of F() expressions to protect against…

Fixed #10160 -- Modified evaluation of F() expressions to protect against potential SQL injection attacks. Thanks to Ian Kelly for the suggestion and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37
üst d4a3a4b0
......@@ -64,10 +64,7 @@ class SQLEvaluator(object):
if hasattr(child, 'evaluate'):
sql, params = child.evaluate(self, qn)
else:
try:
sql, params = qn(child), ()
except:
sql, params = str(child), ()
sql, params = '%s', (child,)
if hasattr(child, 'children') > 1:
format = '(%s)'
......
......@@ -160,10 +160,10 @@ class WhereNode(tree.Node):
extra = ''
if lookup_type in connection.operators:
format = "%s %%s %s" % (connection.ops.lookup_cast(lookup_type),
extra)
format = "%s %%s %%s" % (connection.ops.lookup_cast(lookup_type),)
return (format % (field_sql,
connection.operators[lookup_type] % cast_sql), params)
connection.operators[lookup_type] % cast_sql,
extra), params)
if lookup_type == 'in':
if not value_annot:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment