diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2019-07-22 10:45:26 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-07-31 21:29:17 +0200 |
| commit | ed682a24fca774818542757651bfba576c3fc3ef (patch) | |
| tree | d0e56c1ce9356efc4cd7c910a1fde55f9b133971 /docs | |
| parent | 52479acce792ad80bb0f915f20b835f919993c72 (diff) | |
[1.11.x] Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection.
Thanks to Sage M. Abdullah for the report and initial patch.
Thanks Florian Apolloner for reviews.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.11.23.txt | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/releases/1.11.23.txt b/docs/releases/1.11.23.txt index c95ffd9a50..03b33ebf63 100644 --- a/docs/releases/1.11.23.txt +++ b/docs/releases/1.11.23.txt @@ -36,3 +36,12 @@ Remember that absolutely NO guarantee is provided about the results of ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a ``strip_tags()`` call without escaping it first, for example with :func:`django.utils.html.escape`. + +CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField`` +==================================================================================================== + +:lookup:`Key and index lookups <jsonfield.key>` for +:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups +<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField` +were subject to SQL injection, using a suitably crafted dictionary, with +dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``. |
