[3.2.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by(). - django.git

diff options

author	Simon Charette <charette.s@gmail.com>	2021-06-18 01:16:10 -0400
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-07-01 08:29:23 +0200
commit	a34a5f724c5d5adb2109374ba3989ebb7b11f81f (patch)
tree	16a4b7fa2f0823a13aa324f69b62587f93205e4d /.pre-commit-config.yaml
parent	da2269dc6f7daca090a28508dbd92207b6f639d0 (diff)

[3.2.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by().

Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5 by marking the raw SQL column reference feature for deprecation in Django 4.0 while lifting the column format validation. In retrospective the validation should have been kept around and the user should have been pointed at using RawSQL expressions during the deprecation period. The main branch is not affected because the raw SQL column reference support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff per the 4.0 deprecation life cycle. Thanks Joel Saunders for the report.

Diffstat (limited to '.pre-commit-config.yaml')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: