RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/001b0634cd309e372edb6d7d95d083d02b8e37bd below:

[1.11.x] Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter)… · django/django@001b063 · GitHub

File tree Expand file treeCollapse file tree 4 files changed

+22

-2

lines changed

Filter options

django/contrib/postgres/aggregates

Expand file treeCollapse file tree 4 files changed

+22

-2

lines changed Original file line number Diff line number Diff line change


 @@ -1,4 +1,5 @@

1 1


 from django.contrib.postgres.fields import JSONField

2

+
 from django.db.models import Value

2 3


 from django.db.models.aggregates import Aggregate

3 4 4 5


 __all__ = [


 @@ -43,11 +44,12 @@ def convert_value(self, value, expression, connection, context):

43 44 44 45


 class StringAgg(Aggregate):

45 46


 function = 'STRING_AGG'

46

-
 template = "%(function)s(%(distinct)s%(expressions)s, '%(delimiter)s')"

47

+
 template = '%(function)s(%(distinct)s%(expressions)s)'

47 48 48 49


 def __init__(self, expression, delimiter, distinct=False, **extra):

49 50


 distinct = 'DISTINCT ' if distinct else ''

50

-
 super(StringAgg, self).__init__(expression, delimiter=delimiter, distinct=distinct, **extra)

51

+
 delimiter_expr = Value(str(delimiter))

52

+
 super(StringAgg, self).__init__(expression, delimiter_expr, distinct=distinct, **extra)

51 53 52 54


 def convert_value(self, value, expression, connection, context):

53 55


 if not value:

Original file line number Diff line number Diff line change


 @@ -0,0 +1,13 @@

1

+
 ============================

2

+
 Django 1.11.28 release notes

3

+
 ============================

4 + 5

+
 *February 3, 2020*

6 + 7

+
 Django 1.11.28 fixes a security issue in 1.11.27.

8 + 9

+
 CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``

10

+
 ===================================================================

11 + 12

+
 :class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was

13

+
 subject to SQL injection, using a suitably crafted ``delimiter``.

Original file line number Diff line number Diff line change


 @@ -26,6 +26,7 @@ versions of the documentation contain the release notes for any later releases.

26 26


 .. toctree::

27 27


 :maxdepth: 1

28 28 29

+
 1.11.28

29 30


 1.11.27

30 31


 1.11.26

31 32


 1.11.25

Original file line number Diff line number Diff line change


 @@ -108,6 +108,10 @@ def test_string_agg_requires_delimiter(self):

108 108


 with self.assertRaises(TypeError):

109 109


 AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field'))

110 110 111

+
 def test_string_agg_delimiter_escaping(self):

112

+
 values = AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field', delimiter="'"))

113

+
 self.assertEqual(values, {'stringagg': "Foo1'Foo2'Foo3'Foo4"})

114 + 111 115


 def test_string_agg_charfield(self):

112 116


 values = AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field', delimiter=';'))

113 117


 self.assertEqual(values, {'stringagg': 'Foo1;Foo2;Foo3;Foo4'})

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4