Kaydet (Commit) f0a7470e authored tarafından Russell Keith-Magee's avatar Russell Keith-Magee

Fixed #10160 -- Modified evaluation of F() expressions to protect against…

Fixed #10160 -- Modified evaluation of F() expressions to protect against potential SQL injection attacks. Thanks to Ian Kelly for the suggestion and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37
üst d4a3a4b0
...@@ -64,10 +64,7 @@ class SQLEvaluator(object): ...@@ -64,10 +64,7 @@ class SQLEvaluator(object):
if hasattr(child, 'evaluate'): if hasattr(child, 'evaluate'):
sql, params = child.evaluate(self, qn) sql, params = child.evaluate(self, qn)
else: else:
try: sql, params = '%s', (child,)
sql, params = qn(child), ()
except:
sql, params = str(child), ()
if hasattr(child, 'children') > 1: if hasattr(child, 'children') > 1:
format = '(%s)' format = '(%s)'
......
...@@ -160,10 +160,10 @@ class WhereNode(tree.Node): ...@@ -160,10 +160,10 @@ class WhereNode(tree.Node):
extra = '' extra = ''
if lookup_type in connection.operators: if lookup_type in connection.operators:
format = "%s %%s %s" % (connection.ops.lookup_cast(lookup_type), format = "%s %%s %%s" % (connection.ops.lookup_cast(lookup_type),)
extra)
return (format % (field_sql, return (format % (field_sql,
connection.operators[lookup_type] % cast_sql), params) connection.operators[lookup_type] % cast_sql,
extra), params)
if lookup_type == 'in': if lookup_type == 'in':
if not value_annot: if not value_annot:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment