Refs CVE-2022-34265 -- Unified DatabaseOperations._convert_*_to_tz() …

…hook names.
django · Jul 9, 2022 · 5e2f4dd · 5e2f4dd
1 parent eb3699e
commit 5e2f4dd
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 14 deletions.
diff --git a/django/db/backends/mysql/operations.py b/django/db/backends/mysql/operations.py
@@ -66,7 +66,7 @@ def date_extract_sql(self, lookup_type, sql, params):
             return f"EXTRACT({lookup_type} FROM {sql})", params
 
     def date_trunc_sql(self, lookup_type, sql, params, tzname=None):
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         fields = {
             "year": "%Y-01-01",
             "month": "%Y-%m-01",
@@ -89,7 +89,7 @@ def _prepare_tzname_delta(self, tzname):
         tzname, sign, offset = split_tzname_delta(tzname)
         return f"{sign}{offset}" if offset else tzname
 
-    def _convert_field_to_tz(self, sql, params, tzname):
+    def _convert_sql_to_tz(self, sql, params, tzname):
         if tzname and settings.USE_TZ and self.connection.timezone_name != tzname:
             return f"CONVERT_TZ({sql}, %s, %s)", (
                 *params,
@@ -99,19 +99,19 @@ def _convert_field_to_tz(self, sql, params, tzname):
         return sql, params
 
     def datetime_cast_date_sql(self, sql, params, tzname):
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         return f"DATE({sql})", params
 
     def datetime_cast_time_sql(self, sql, params, tzname):
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         return f"TIME({sql})", params
 
     def datetime_extract_sql(self, lookup_type, sql, params, tzname):
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         return self.date_extract_sql(lookup_type, sql, params)
 
     def datetime_trunc_sql(self, lookup_type, sql, params, tzname):
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         fields = ["year", "month", "day", "hour", "minute", "second"]
         format = ("%Y-", "%m", "-%d", " %H:", "%i", ":%s")
         format_def = ("0000-", "01", "-01", " 00:", "00", ":00")
@@ -136,7 +136,7 @@ def datetime_trunc_sql(self, lookup_type, sql, params, tzname):
         return sql, params
 
     def time_trunc_sql(self, lookup_type, sql, params, tzname=None):
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         fields = {
             "hour": "%H:00:00",
             "minute": "%H:%i:00",

diff --git a/django/db/backends/oracle/operations.py b/django/db/backends/oracle/operations.py
@@ -105,7 +105,7 @@ def date_extract_sql(self, lookup_type, sql, params):
         return extract_sql, (*params, extract_param)
 
     def date_trunc_sql(self, lookup_type, sql, params, tzname=None):
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         # https://docs.oracle.com/en/database/oracle/oracle-database/21/sqlrf/ROUND-and-TRUNC-Date-Functions.html
         trunc_param = None
         if lookup_type in ("year", "month"):
@@ -128,7 +128,7 @@ def _prepare_tzname_delta(self, tzname):
         tzname, sign, offset = split_tzname_delta(tzname)
         return f"{sign}{offset}" if offset else tzname
 
-    def _convert_field_to_tz(self, sql, params, tzname):
+    def _convert_sql_to_tz(self, sql, params, tzname):
         if not (settings.USE_TZ and tzname):
             return sql, params
         if not self._tzname_re.match(tzname):
@@ -147,13 +147,13 @@ def _convert_field_to_tz(self, sql, params, tzname):
         return sql, params
 
     def datetime_cast_date_sql(self, sql, params, tzname):
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         return f"TRUNC({sql})", params
 
     def datetime_cast_time_sql(self, sql, params, tzname):
         # Since `TimeField` values are stored as TIMESTAMP change to the
         # default date and convert the field to the specified timezone.
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         convert_datetime_sql = (
             f"TO_TIMESTAMP(CONCAT('1900-01-01 ', TO_CHAR({sql}, 'HH24:MI:SS.FF')), "
             f"'YYYY-MM-DD HH24:MI:SS.FF')"
@@ -164,11 +164,11 @@ def datetime_cast_time_sql(self, sql, params, tzname):
         )
 
     def datetime_extract_sql(self, lookup_type, sql, params, tzname):
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         return self.date_extract_sql(lookup_type, sql, params)
 
     def datetime_trunc_sql(self, lookup_type, sql, params, tzname):
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         # https://docs.oracle.com/en/database/oracle/oracle-database/21/sqlrf/ROUND-and-TRUNC-Date-Functions.html
         trunc_param = None
         if lookup_type in ("year", "month"):
@@ -192,7 +192,7 @@ def time_trunc_sql(self, lookup_type, sql, params, tzname=None):
         # The implementation is similar to `datetime_trunc_sql` as both
         # `DateTimeField` and `TimeField` are stored as TIMESTAMP where
         # the date part of the later is ignored.
-        sql, params = self._convert_field_to_tz(sql, params, tzname)
+        sql, params = self._convert_sql_to_tz(sql, params, tzname)
         trunc_param = None
         if lookup_type == "hour":
             trunc_param = "HH24"

diff --git a/docs/releases/4.1.txt b/docs/releases/4.1.txt
@@ -459,6 +459,10 @@ backends.
   ``DatabaseOperations.insert_statement()`` method is replaced by
   ``on_conflict`` that accepts ``django.db.models.constants.OnConflict``.
 
+* ``DatabaseOperations._convert_field_to_tz()`` is replaced by
+  ``DatabaseOperations._convert_sql_to_tz()`` that accepts the ``sql``,
+  ``params``, and ``tzname`` arguments.
+
 * Several date and time methods on ``DatabaseOperations`` now take ``sql`` and
   ``params`` arguments instead of ``field_name`` and return 2-tuple containing
   some SQL and the parameters to be interpolated into that SQL. The changed