Fixed #10160 -- Modified evaluation of F() expressions to protect against potential SQL injection attacks. Thanks to Ian Kelly for the suggestion and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-31 09:41:08 +00:00 · 2009-02-08 11:14:56 +00:00
parent d4a3a4b0ca
commit f0a7470e40
2 changed files with 4 additions and 7 deletions
--- a/django/db/models/sql/expressions.py
+++ b/django/db/models/sql/expressions.py
@@ -64,10 +64,7 @@ class SQLEvaluator(object):
            if hasattr(child, 'evaluate'):
                sql, params = child.evaluate(self, qn)
            else:
-                try:
-                    sql, params = qn(child), ()
-                except:
-                    sql, params = str(child), ()
+                sql, params = '%s', (child,)

            if hasattr(child, 'children') > 1:
                format = '(%s)'
--- a/django/db/models/sql/where.py
+++ b/django/db/models/sql/where.py
@@ -160,10 +160,10 @@ class WhereNode(tree.Node):
            extra = ''

        if lookup_type in connection.operators:
-            format = "%s %%s %s" % (connection.ops.lookup_cast(lookup_type),
-                    extra)
+            format = "%s %%s %%s" % (connection.ops.lookup_cast(lookup_type),)
            return (format % (field_sql,
-                    connection.operators[lookup_type] % cast_sql), params)
+                              connection.operators[lookup_type] % cast_sql,
+                              extra), params)

        if lookup_type == 'in':
            if not value_annot: