summaryrefslogtreecommitdiff
path: root/django/db/models/sql/query.py
diff options
context:
space:
mode:
Diffstat (limited to 'django/db/models/sql/query.py')
-rw-r--r--django/db/models/sql/query.py10
1 files changed, 10 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 1df916b724..230b6fa861 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -50,6 +50,10 @@ __all__ = ['Query', 'RawQuery']
# SQL comments are forbidden in column aliases.
FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
+# Inspired from
+# https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
+EXPLAIN_OPTIONS_PATTERN = _lazy_re_compile(r"[\w\-]+")
+
def get_field_names_from_opts(opts):
return set(chain.from_iterable(
@@ -558,6 +562,12 @@ class Query(BaseExpression):
def explain(self, using, format=None, **options):
q = self.clone()
+ for option_name in options:
+ if (
+ not EXPLAIN_OPTIONS_PATTERN.fullmatch(option_name) or
+ "--" in option_name
+ ):
+ raise ValueError(f"Invalid option name: {option_name!r}.")
q.explain_query = True
q.explain_format = format
q.explain_options = options
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 02:45:15 +0000