mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-23 21:59:11 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.

Browse Source
This commit is contained in:
Simon Charette
2019-12-31 12:46:06 -05:00
committed by Carlton Gibson
parent 6b178a3e93
commit eb31d84532
7 changed files with 45 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
tests/postgres_tests/test_aggregates.py
View File

@@ -169,6 +169,10 @@ class TestGeneralAggregate(PostgreSQLTestCase):
with self.assertRaises(TypeError):
AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field'))
def test_string_agg_delimiter_escaping(self):
values = AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field', delimiter="'"))
self.assertEqual(values, {'stringagg': "Foo1'Foo2'Foo4'Foo3"})
def test_string_agg_charfield(self):
values = AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field', delimiter=';'))
self.assertEqual(values, {'stringagg': 'Foo1;Foo2;Foo4;Foo3'})