[1.11.x] Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.

author: Carlton Gibson <carlton.gibson@noumenal.es> 2020-01-22 09:03:27 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2020-01-26 19:02:04 +0100
commit: 001b0634cd309e372edb6d7d95d083d02b8e37bd (patch)
tree: 7dfeed60d2ca78f895b8fe771b13fd6429090005 /tests/postgres_tests
parent: 7fd1ca3ef63e5e834205a8208f4dc17d80f9a417 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/tests/postgres_tests/test_aggregates.py b/tests/postgres_tests/test_aggregates.py
index 9aa0e06595..ddfd7fce26 100644
--- a/tests/postgres_tests/test_aggregates.py
+++ b/tests/postgres_tests/test_aggregates.py
@@ -108,6 +108,10 @@ class TestGeneralAggregate(PostgreSQLTestCase):
         with self.assertRaises(TypeError):
             AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field'))
 
+    def test_string_agg_delimiter_escaping(self):
+        values = AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field', delimiter="'"))
+        self.assertEqual(values, {'stringagg': "Foo1'Foo2'Foo3'Foo4"})
+
     def test_string_agg_charfield(self):
         values = AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field', delimiter=';'))
         self.assertEqual(values, {'stringagg': 'Foo1;Foo2;Foo3;Foo4'})
author	Carlton Gibson <carlton.gibson@noumenal.es>	2020-01-22 09:03:27 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2020-01-26 19:02:04 +0100
commit	001b0634cd309e372edb6d7d95d083d02b8e37bd (patch)
tree	7dfeed60d2ca78f895b8fe771b13fd6429090005 /tests/postgres_tests
parent	7fd1ca3ef63e5e834205a8208f4dc17d80f9a417 (diff)