Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection.

Thanks to Sage M. Abdullah for the report and initial patch. Thanks Florian Apolloner for reviews.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-07-22 10:45:26 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2019-08-01 09:24:54 +0200
commit: 7deeabc7c7526786df6894429ce89a9c4b614086 (patch)
tree: 06b8f339b2b2899ebe2cac69e662f44f4536f5f6 /docs/releases/2.2.4.txt
parent: 4b78420d250df5e21763633871e486ee76728cc4 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/releases/2.2.4.txt b/docs/releases/2.2.4.txt
index c965373677..3aac51869c 100644
--- a/docs/releases/2.2.4.txt
+++ b/docs/releases/2.2.4.txt
@@ -37,6 +37,15 @@ Remember that absolutely NO guarantee is provided about the results of
 ``strip_tags()`` call without escaping it first, for example with
 :func:`django.utils.html.escape`.
 
+CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``
+====================================================================================================
+
+:lookup:`Key and index lookups <jsonfield.key>` for
+:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups
+<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
+were subject to SQL injection, using a suitably crafted dictionary, with
+dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
+
 Bugfixes
 ========
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2019-07-22 10:45:26 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2019-08-01 09:24:54 +0200
commit	7deeabc7c7526786df6894429ce89a9c4b614086 (patch)
tree	06b8f339b2b2899ebe2cac69e662f44f4536f5f6 /docs/releases/2.2.4.txt
parent	4b78420d250df5e21763633871e486ee76728cc4 (diff)