diff options
| author | Simon Charette <charette.s@gmail.com> | 2021-06-18 01:16:10 -0400 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-07-01 08:36:17 +0200 |
| commit | 0bd57a879a0d54920bb9038a732645fb917040e9 (patch) | |
| tree | 6c2cf9581885bc4a39329adf3a78b17bf80abed6 /django/db/models/sql | |
| parent | 8dc1cc0b306168eb1c0a0fc5457b6f1156fcbcff (diff) | |
[3.1.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by().
Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5
by marking the raw SQL column reference feature for deprecation in
Django 4.0 while lifting the column format validation.
In retrospective the validation should have been kept around and the
user should have been pointed at using RawSQL expressions during the
deprecation period.
The main branch is not affected because the raw SQL column reference
support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff
per the 4.0 deprecation life cycle.
Thanks Joel Saunders for the report.
Diffstat (limited to 'django/db/models/sql')
| -rw-r--r-- | django/db/models/sql/constants.py | 2 | ||||
| -rw-r--r-- | django/db/models/sql/query.py | 6 |
2 files changed, 6 insertions, 2 deletions
diff --git a/django/db/models/sql/constants.py b/django/db/models/sql/constants.py index a1db61b9ff..97edf7525e 100644 --- a/django/db/models/sql/constants.py +++ b/django/db/models/sql/constants.py @@ -1,6 +1,7 @@ """ Constants specific to the SQL storage portion of the ORM. """ +from django.utils.regex_helper import _lazy_re_compile # Size of each "chunk" for get_iterator calls. # Larger values are slightly faster at the expense of more storage space. @@ -18,6 +19,7 @@ ORDER_DIR = { 'ASC': ('ASC', 'DESC'), 'DESC': ('DESC', 'ASC'), } +ORDER_PATTERN = _lazy_re_compile(r'[-+]?[.\w]+$') # SQL join types. INNER = 'INNER JOIN' diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 7a16d4889a..2b5f1d8b85 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -30,7 +30,9 @@ from django.db.models.lookups import Lookup from django.db.models.query_utils import ( Q, check_rel_lookup_compatibility, refs_expression, ) -from django.db.models.sql.constants import INNER, LOUTER, ORDER_DIR, SINGLE +from django.db.models.sql.constants import ( + INNER, LOUTER, ORDER_DIR, ORDER_PATTERN, SINGLE, +) from django.db.models.sql.datastructures import ( BaseTable, Empty, Join, MultiJoin, ) @@ -1897,7 +1899,7 @@ class Query(BaseExpression): errors = [] for item in ordering: if isinstance(item, str): - if '.' in item: + if '.' in item and ORDER_PATTERN.match(item): warnings.warn( 'Passing column raw column aliases to order_by() is ' 'deprecated. Wrap %r in a RawSQL expression before ' |