+110
-12
lines changedFilter options
+110
-12
lines changed Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
1 1
from django.contrib.gis.db.models.fields import (
2 2
ExtentField, GeometryCollectionField, GeometryField, LineStringField,
3 3
)
4 +
from django.db.models import Value
4 5
from django.db.models.aggregates import Aggregate
5 6
from django.utils.functional import cached_property
6 7
@@ -27,9 +28,16 @@ def as_sql(self, compiler, connection, function=None, **extra_context):
27 28
)
28 29 29 30
def as_oracle(self, compiler, connection, **extra_context):
30 -
tolerance = self.extra.get('tolerance') or getattr(self, 'tolerance', 0.05)
31 -
template = None if self.is_extent else '%(function)s(SDOAGGRTYPE(%(expressions)s,%(tolerance)s))'
32 -
return self.as_sql(compiler, connection, template=template, tolerance=tolerance, **extra_context)
31 +
if not self.is_extent:
32 +
tolerance = self.extra.get('tolerance') or getattr(self, 'tolerance', 0.05)
33 +
clone = self.copy()
34 +
clone.set_source_expressions([
35 +
*self.get_source_expressions(),
36 +
Value(tolerance),
37 +
])
38 +
template = '%(function)s(SDOAGGRTYPE(%(expressions)s))'
39 +
return clone.as_sql(compiler, connection, template=template, **extra_context)
40 +
return self.as_sql(compiler, connection, **extra_context)
33 41 34 42
def resolve_expression(self, query=None, allow_joins=True, reuse=None, summarize=False, for_save=False):
35 43
c = super().resolve_expression(query, allow_joins, reuse, summarize, for_save)
@@ -113,12 +113,14 @@ class OracleToleranceMixin:
113 113
tolerance = 0.05
114 114 115 115
def as_oracle(self, compiler, connection, **extra_context):
116 -
tol = self.extra.get('tolerance', self.tolerance)
117 -
return self.as_sql(
118 -
compiler, connection,
119 -
template="%%(function)s(%%(expressions)s, %s)" % tol,
120 -
**extra_context
121 -
)
116 +
tolerance = Value(self._handle_param(
117 +
self.extra.get('tolerance', self.tolerance),
118 +
'tolerance',
119 +
NUMERIC_TYPES,
120 +
))
121 +
clone = self.copy()
122 +
clone.set_source_expressions([*self.get_source_expressions(), tolerance])
123 +
return clone.as_sql(compiler, connection, **extra_context)
122 124 123 125 124 126
class Area(OracleToleranceMixin, GeoFunc):
@@ -0,0 +1,13 @@
1 +
============================
2 +
Django 1.11.29 release notes
3 +
============================
4 + 5 +
*March 4, 2020*
6 + 7 +
Django 1.11.29 fixes a security issue in 1.11.29.
8 + 9 +
CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle
10 +
============================================================================================================
11 + 12 +
GIS functions and aggregates on Oracle were subject to SQL injection,
13 +
using a suitably crafted ``tolerance``.
Original file line number Diff line number Diff line change
@@ -2,9 +2,15 @@
2 2
Django 2.2.11 release notes
3 3
===========================
4 4 5 -
*Expected March 2, 2020*
5 +
*March 4, 2020*
6 6 7 -
Django 2.2.11 fixes a data loss bug in 2.2.10.
7 +
Django 2.2.11 fixes a security issue and a data loss bug in 2.2.10.
8 + 9 +
CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle
10 +
============================================================================================================
11 + 12 +
GIS functions and aggregates on Oracle were subject to SQL injection,
13 +
using a suitably crafted ``tolerance``.
8 14 9 15
Bugfixes
10 16
========
@@ -85,6 +85,7 @@ versions of the documentation contain the release notes for any later releases.
85 85
.. toctree::
86 86
:maxdepth: 1
87 87 88 +
1.11.29
88 89
1.11.28
89 90
1.11.27
90 91
1.11.26
@@ -400,6 +400,37 @@ def test_distance_function_d_lookup(self):
400 400
).filter(d=D(m=1))
401 401
self.assertTrue(qs.exists())
402 402 403 +
@unittest.skipUnless(
404 +
connection.vendor == 'oracle',
405 +
'Oracle supports tolerance paremeter.',
406 +
)
407 +
def test_distance_function_tolerance_escaping(self):
408 +
qs = Interstate.objects.annotate(
409 +
d=Distance(
410 +
Point(500, 500, srid=3857),
411 +
Point(0, 0, srid=3857),
412 +
tolerance='0.05) = 1 OR 1=1 OR (1+1',
413 +
),
414 +
).filter(d=D(m=1)).values('pk')
415 +
msg = 'The tolerance parameter has the wrong type'
416 +
with self.assertRaisesMessage(TypeError, msg):
417 +
qs.exists()
418 + 419 +
@unittest.skipUnless(
420 +
connection.vendor == 'oracle',
421 +
'Oracle supports tolerance paremeter.',
422 +
)
423 +
def test_distance_function_tolerance(self):
424 +
# Tolerance is greater than distance.
425 +
qs = Interstate.objects.annotate(
426 +
d=Distance(
427 +
Point(0, 0, srid=3857),
428 +
Point(1, 1, srid=3857),
429 +
tolerance=1.5,
430 +
),
431 +
).filter(d=0).values('pk')
432 +
self.assertIs(qs.exists(), True)
433 + 403 434
@skipIfDBFeature("supports_distance_geodetic")
404 435
@skipUnlessDBFeature("has_Distance_function")
405 436
def test_distance_function_raw_result_d_lookup(self):
@@ -1,4 +1,5 @@
1 1
import tempfile
2 +
import unittest
2 3
from io import StringIO
3 4 4 5
from django.contrib.gis import gdal
@@ -8,7 +9,7 @@
8 9
MultiPoint, MultiPolygon, Point, Polygon, fromstr,
9 10
)
10 11
from django.core.management import call_command
11 -
from django.db import NotSupportedError, connection
12 +
from django.db import DatabaseError, NotSupportedError, connection
12 13
from django.test import TestCase, skipUnlessDBFeature
13 14 14 15
from ..utils import (
@@ -563,6 +564,42 @@ def test_unionagg(self):
563 564
qs = City.objects.filter(name='NotACity')
564 565
self.assertIsNone(qs.aggregate(Union('point'))['point__union'])
565 566 567 +
@unittest.skipUnless(
568 +
connection.vendor == 'oracle',
569 +
'Oracle supports tolerance paremeter.',
570 +
)
571 +
def test_unionagg_tolerance(self):
572 +
City.objects.create(
573 +
point=fromstr('POINT(-96.467222 32.751389)', srid=4326),
574 +
name='Forney',
575 +
)
576 +
tx = Country.objects.get(name='Texas').mpoly
577 +
# Tolerance is greater than distance between Forney and Dallas, that's
578 +
# why Dallas is ignored.
579 +
forney_houston = GEOSGeometry(
580 +
'MULTIPOINT(-95.363151 29.763374, -96.467222 32.751389)',
581 +
srid=4326,
582 +
)
583 +
self.assertIs(
584 +
forney_houston.equals(
585 +
City.objects.filter(point__within=tx).aggregate(
586 +
Union('point', tolerance=32000),
587 +
)['point__union'],
588 +
),
589 +
True,
590 +
)
591 + 592 +
@unittest.skipUnless(
593 +
connection.vendor == 'oracle',
594 +
'Oracle supports tolerance paremeter.',
595 +
)
596 +
def test_unionagg_tolerance_escaping(self):
597 +
tx = Country.objects.get(name='Texas').mpoly
598 +
with self.assertRaises(DatabaseError):
599 +
City.objects.filter(point__within=tx).aggregate(
600 +
Union('point', tolerance='0.05))), (((1'),
601 +
)
602 + 566 603
def test_within_subquery(self):
567 604
"""
568 605
Using a queryset inside a geo lookup is working (using a subquery)
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4