summaryrefslogtreecommitdiff
path: root/django/db/models/sql/query.py
diff options
context:
space:
mode:
Diffstat (limited to 'django/db/models/sql/query.py')
-rw-r--r--django/db/models/sql/query.py10
1 files changed, 10 insertions, 0 deletions
diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
index 46b4280695..fd4bbdaf35 100644
--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
@@ -49,6 +49,10 @@ __all__ = ["Query", "RawQuery"]
# SQL comments are forbidden in column aliases.
FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
+# Inspired from
+# https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
+EXPLAIN_OPTIONS_PATTERN = _lazy_re_compile(r"[\w\-]+")
+
def get_field_names_from_opts(opts):
return set(
@@ -586,6 +590,12 @@ class Query(BaseExpression):
def explain(self, using, format=None, **options):
q = self.clone()
+ for option_name in options:
+ if (
+ not EXPLAIN_OPTIONS_PATTERN.fullmatch(option_name)
+ or "--" in option_name
+ ):
+ raise ValueError(f"Invalid option name: {option_name!r}.")
q.explain_info = ExplainInfo(format, options)
compiler = q.get_compiler(using=using)
return "\n".join(compiler.explain_query())
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 01:19:54 +0000