From 0bd57a879a0d54920bb9038a732645fb917040e9 Mon Sep 17 00:00:00 2001 From: Simon Charette Date: Fri, 18 Jun 2021 01:16:10 -0400 Subject: [3.1.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by(). Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5 by marking the raw SQL column reference feature for deprecation in Django 4.0 while lifting the column format validation. In retrospective the validation should have been kept around and the user should have been pointed at using RawSQL expressions during the deprecation period. The main branch is not affected because the raw SQL column reference support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff per the 4.0 deprecation life cycle. Thanks Joel Saunders for the report. --- django/db/models/sql/query.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'django/db/models/sql/query.py') diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 7a16d4889a..2b5f1d8b85 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -30,7 +30,9 @@ from django.db.models.lookups import Lookup from django.db.models.query_utils import ( Q, check_rel_lookup_compatibility, refs_expression, ) -from django.db.models.sql.constants import INNER, LOUTER, ORDER_DIR, SINGLE +from django.db.models.sql.constants import ( + INNER, LOUTER, ORDER_DIR, ORDER_PATTERN, SINGLE, +) from django.db.models.sql.datastructures import ( BaseTable, Empty, Join, MultiJoin, ) @@ -1897,7 +1899,7 @@ class Query(BaseExpression): errors = [] for item in ordering: if isinstance(item, str): - if '.' in item: + if '.' in item and ORDER_PATTERN.match(item): warnings.warn( 'Passing column raw column aliases to order_by() is ' 'deprecated. Wrap %r in a RawSQL expression before ' -- cgit v1.3