Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #10160 -- Modified evaluation of F() expressions to protect aga…

…inst potential SQL injection attacks. Thanks to Ian Kelly for the suggestion and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit f0a7470e405cb237e8b5676fd10f1ea482787baf 1 parent d4a3a4b
@freakboy3742 freakboy3742 authored
View
5 django/db/models/sql/expressions.py
@@ -64,10 +64,7 @@ def evaluate_node(self, node, qn):
if hasattr(child, 'evaluate'):
sql, params = child.evaluate(self, qn)
else:
- try:
- sql, params = qn(child), ()
- except:
- sql, params = str(child), ()
+ sql, params = '%s', (child,)
if hasattr(child, 'children') > 1:
format = '(%s)'
View
6 django/db/models/sql/where.py
@@ -160,10 +160,10 @@ def make_atom(self, child, qn):
extra = ''
if lookup_type in connection.operators:
- format = "%s %%s %s" % (connection.ops.lookup_cast(lookup_type),
- extra)
+ format = "%s %%s %%s" % (connection.ops.lookup_cast(lookup_type),)
return (format % (field_sql,
- connection.operators[lookup_type] % cast_sql), params)
+ connection.operators[lookup_type] % cast_sql,
+ extra), params)
if lookup_type == 'in':
if not value_annot:
Please sign in to comment.
Something went wrong with that request. Please try again.