Fixed #31426 -- Added proper field validation to QuerySet.order_by().

Resolve the field reference instead of using fragile regex based string reference validation.
author: Simon Charette <charette.s@gmail.com> 2020-04-05 15:45:06 -0400
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-04-06 10:19:49 +0200
commit: 513948735b799239f3ef8c89397592445e1a0cd5 (patch)
tree: 8209114fe5dcd254318c86781bcce54c95d98d80 /django/db/models/sql/query.py
parent: 98ea4f0f4696221f00e111f1d623452002192e6c (diff)
1 files changed, 14 insertions, 4 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 82ff6bf4ea..bb230647eb 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -30,9 +30,7 @@ from django.db.models.lookups import Lookup
 from django.db.models.query_utils import (
     Q, check_rel_lookup_compatibility, refs_expression,
 )
-from django.db.models.sql.constants import (
-    INNER, LOUTER, ORDER_DIR, ORDER_PATTERN, SINGLE,
-)
+from django.db.models.sql.constants import INNER, LOUTER, ORDER_DIR, SINGLE
 from django.db.models.sql.datastructures import (
     BaseTable, Empty, Join, MultiJoin,
 )
@@ -1895,7 +1893,7 @@ class Query(BaseExpression):
         """
         errors = []
         for item in ordering:
-            if isinstance(item, str) and ORDER_PATTERN.match(item):
+            if isinstance(item, str):
                 if '.' in item:
                     warnings.warn(
                         'Passing column raw column aliases to order_by() is '
@@ -1904,6 +1902,18 @@ class Query(BaseExpression):
                         category=RemovedInDjango40Warning,
                         stacklevel=3,
                     )
+                    continue
+                if item == '?':
+                    continue
+                if item.startswith('-'):
+                    item = item[1:]
+                if item in self.annotations:
+                    continue
+                if self.extra and item in self.extra:
+                    continue
+                # names_to_path() validates the lookup. A descriptive
+                # FieldError will be raise if it's not.
+                self.names_to_path(item.split(LOOKUP_SEP), self.model._meta)
             elif not hasattr(item, 'resolve_expression'):
                 errors.append(item)
             if getattr(item, 'contains_aggregate', False):
author	Simon Charette <charette.s@gmail.com>	2020-04-05 15:45:06 -0400
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2020-04-06 10:19:49 +0200
commit	513948735b799239f3ef8c89397592445e1a0cd5 (patch)
tree	8209114fe5dcd254318c86781bcce54c95d98d80 /django/db/models/sql/query.py
parent	98ea4f0f4696221f00e111f1d623452002192e6c (diff)