[1.11.x] Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.

author: Carlton Gibson <carlton.gibson@noumenal.es> 2020-01-22 09:03:27 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2020-01-26 19:02:04 +0100
commit: 001b0634cd309e372edb6d7d95d083d02b8e37bd (patch)
tree: 7dfeed60d2ca78f895b8fe771b13fd6429090005 /django/contrib/postgres
parent: 7fd1ca3ef63e5e834205a8208f4dc17d80f9a417 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/django/contrib/postgres/aggregates/general.py b/django/contrib/postgres/aggregates/general.py
index 5b3d22bf98..cd9a4bc349 100644
--- a/django/contrib/postgres/aggregates/general.py
+++ b/django/contrib/postgres/aggregates/general.py
@@ -1,4 +1,5 @@
 from django.contrib.postgres.fields import JSONField
+from django.db.models import Value
 from django.db.models.aggregates import Aggregate
 
 __all__ = [
@@ -43,11 +44,12 @@ class JSONBAgg(Aggregate):
 
 class StringAgg(Aggregate):
     function = 'STRING_AGG'
-    template = "%(function)s(%(distinct)s%(expressions)s, '%(delimiter)s')"
+    template = '%(function)s(%(distinct)s%(expressions)s)'
 
     def __init__(self, expression, delimiter, distinct=False, **extra):
         distinct = 'DISTINCT ' if distinct else ''
-        super(StringAgg, self).__init__(expression, delimiter=delimiter, distinct=distinct, **extra)
+        delimiter_expr = Value(str(delimiter))
+        super(StringAgg, self).__init__(expression, delimiter_expr, distinct=distinct, **extra)
 
     def convert_value(self, value, expression, connection, context):
         if not value:
author	Carlton Gibson <carlton.gibson@noumenal.es>	2020-01-22 09:03:27 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2020-01-26 19:02:04 +0100
commit	001b0634cd309e372edb6d7d95d083d02b8e37bd (patch)
tree	7dfeed60d2ca78f895b8fe771b13fd6429090005 /django/contrib/postgres
parent	7fd1ca3ef63e5e834205a8208f4dc17d80f9a417 (diff)