summaryrefslogtreecommitdiff
path: root/django/db/models/sql
diff options
context:
space:
mode:
authorAnubhav Joshi <anubhav9042@gmail.com>2014-08-10 18:23:37 +0530
committerAnssi Kääriäinen <akaariai@gmail.com>2014-08-11 09:51:57 +0300
commitcdfdcf4b70bebfc68871df885387790c6afbc23c (patch)
treeeb73c2932c8131cc0abc24155253f6a91839d7df /django/db/models/sql
parentf0b358880a6825d667c037757caac470bc526a1f (diff)
Fixed #23266 -- Prevented queries caused by type checking lookup values
Small modifications done by committer.
Diffstat (limited to 'django/db/models/sql')
-rw-r--r--django/db/models/sql/query.py15
1 files changed, 13 insertions, 2 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 89fba2b56a..a590f2796e 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -1104,8 +1104,19 @@ class Query(object):
if field.rel:
# testing for iterable of models
if hasattr(value, '__iter__'):
- for v in value:
- self.check_query_object_type(v, opts)
+ # Check if the iterable has a model attribute, if so
+ # it is likely something like a QuerySet.
+ if hasattr(value, 'model') and hasattr(value.model, '_meta'):
+ model = value.model
+ if not (model == opts.concrete_model
+ or opts.concrete_model in model._meta.get_parent_list()
+ or model in opts.get_parent_list()):
+ raise ValueError(
+ 'Cannot use QuerySet for "%s": Use a QuerySet for "%s".' %
+ (model._meta.model_name, opts.object_name))
+ else:
+ for v in value:
+ self.check_query_object_type(v, opts)
else:
# expecting single model instance here
self.check_query_object_type(value, opts)