Fixed #10160 -- Modified evaluation of F() expressions to protect against potential SQL injection attacks. Thanks to Ian Kelly for the suggestion and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37

2 files changed, 4 insertions, 7 deletions

diff --git a/django/db/models/sql/expressions.py b/django/db/models/sql/expressions.py
index 878f13bbf7..ef9fcb00c3 100644
--- a/django/db/models/sql/expressions.py
+++ b/django/db/models/sql/expressions.py
@@ -64,10 +64,7 @@ class SQLEvaluator(object):
             if hasattr(child, 'evaluate'):
                 sql, params = child.evaluate(self, qn)
             else:
-                try:
-                    sql, params = qn(child), ()
-                except:
-                    sql, params = str(child), ()
+                sql, params = '%s', (child,)
 
             if hasattr(child, 'children') > 1:
                 format = '(%s)'
diff --git a/django/db/models/sql/where.py b/django/db/models/sql/where.py
index d97112e9f3..1d4df127fe 100644
--- a/django/db/models/sql/where.py
+++ b/django/db/models/sql/where.py
@@ -160,10 +160,10 @@ class WhereNode(tree.Node):
             extra = ''
 
         if lookup_type in connection.operators:
-            format = "%s %%s %s" % (connection.ops.lookup_cast(lookup_type),
-                    extra)
+            format = "%s %%s %%s" % (connection.ops.lookup_cast(lookup_type),)
             return (format % (field_sql,
-                    connection.operators[lookup_type] % cast_sql), params)
+                              connection.operators[lookup_type] % cast_sql,
+                              extra), params)
 
         if lookup_type == 'in':
             if not value_annot: