[2.1.x] Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection.

Thanks to Sage M. Abdullah for the report and initial patch. Thanks Florian Apolloner for reviews.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-07-22 10:45:26 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2019-07-31 12:43:32 +0200
commit: f74b3ae3628c26e1b4f8db3d13a91d52a833a975 (patch)
tree: c3ac9d6ff511cadc464f120e814a6d44de7ab8d6 /django/contrib/postgres/fields/jsonb.py
parent: 5ff8e791148bd451180124d76a55cb2b2b9556eb (diff)
1 files changed, 3 insertions, 5 deletions
diff --git a/django/contrib/postgres/fields/jsonb.py b/django/contrib/postgres/fields/jsonb.py
index 966e8f1141..be98ff2d48 100644
--- a/django/contrib/postgres/fields/jsonb.py
+++ b/django/contrib/postgres/fields/jsonb.py
@@ -109,12 +109,10 @@ class KeyTransform(Transform):
         if len(key_transforms) > 1:
             return "(%s %s %%s)" % (lhs, self.nested_operator), [key_transforms] + params
         try:
-            int(self.key_name)
+            lookup = int(self.key_name)
         except ValueError:
-            lookup = "'%s'" % self.key_name
-        else:
-            lookup = "%s" % self.key_name
-        return "(%s %s %s)" % (lhs, self.operator, lookup), params
+            lookup = self.key_name
+        return '(%s %s %%s)' % (lhs, self.operator), [lookup] + params
 
 
 class KeyTextTransform(KeyTransform):
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2019-07-22 10:45:26 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2019-07-31 12:43:32 +0200
commit	f74b3ae3628c26e1b4f8db3d13a91d52a833a975 (patch)
tree	c3ac9d6ff511cadc464f120e814a6d44de7ab8d6 /django/contrib/postgres/fields/jsonb.py
parent	5ff8e791148bd451180124d76a55cb2b2b9556eb (diff)