Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Cloud:OpenStack:Newton
python-Django
CVE-2019-14234-prevent-sql-injection.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-14234-prevent-sql-injection.patch of Package python-Django
commit a23a39a89df00ae87e077e01d25c3ae8b27c8b40 Author: Mariusz Felisiak <felisiak.mariusz@gmail.com> Date: Mon, 22 Jul 2019 10:45:26 +0200 [1.8.x] Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection. Thanks to Sage M. Abdullah for the report and initial patch. Thanks Florian Apolloner for reviews. diff --git a/django/contrib/postgres/fields/hstore.py b/django/contrib/postgres/fields/hstore.py index b8e47edf17..410d5a0d36 100644 --- a/django/contrib/postgres/fields/hstore.py +++ b/django/contrib/postgres/fields/hstore.py @@ -78,7 +78,7 @@ class KeyTransform(Transform): def as_sql(self, compiler, connection): lhs, params = compiler.compile(self.lhs) - return "(%s -> '%s')" % (lhs, self.key_name), params + return '(%s -> %%s)' % lhs, [self.key_name] + params class KeyTransformFactory(object): diff --git a/docs/releases/1.8.19.txt b/docs/releases/1.8.19.txt index 168fb9f275..cfd55be205 100644 --- a/docs/releases/1.8.19.txt +++ b/docs/releases/1.8.19.txt @@ -59,3 +59,12 @@ Remember that absolutely NO guarantee is provided about the results of ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a ``strip_tags()`` call without escaping it first, for example with :func:`django.utils.html.escape`. + +CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField`` +==================================================================================================== + +:lookup:`Key and index lookups <jsonfield.key>` for +:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups +<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField` +were subject to SQL injection, using a suitably crafted dictionary, with +dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``. diff --git a/tests/postgres_tests/test_hstore.py b/tests/postgres_tests/test_hstore.py index 6333c82e71..9deeb67cd0 100644 --- a/tests/postgres_tests/test_hstore.py +++ b/tests/postgres_tests/test_hstore.py @@ -4,8 +4,10 @@ from django.contrib.postgres import forms from django.contrib.postgres.fields import HStoreField from django.contrib.postgres.validators import KeysValidator from django.core import exceptions, serializers +from django.db import connection from django.forms import Form from django.test import TestCase +from django.test.utils import CaptureQueriesContext from .models import HStoreModel @@ -128,6 +130,18 @@ class TestQuerying(TestCase): self.objs[:2] ) + def test_key_sql_injection(self): + with CaptureQueriesContext(connection) as queries: + self.assertFalse( + HStoreModel.objects.filter(**{ + "field__test' = 'a') OR 1 = 1 OR ('d": 'x', + }).exists() + ) + self.assertIn( + """."field" -> 'test'' = ''a'') OR 1 = 1 OR (''d') = 'x' """, + queries[0]['sql'], + ) + class TestSerialization(TestCase): test_data = ('[{"fields": {"field": "{\\"a\\": \\"b\\"}"}, '
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor