#11623 closed (fixed)
django.core.cache.backends.db does not escape table names
| Reported by: | Fraser Nevett | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Cache system) | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The table name is simply inserted verbatim into the SQL using string formatting, for example:
cursor.execute("SELECT COUNT(*) FROM %s" % self._table)
If the table name contains characters that require escaping, the generated SQL will be invalid and cause errors to occur.
Attachments (1)
Change History (8)
by , 16 years ago
| Attachment: | db-cache-quoting.diff added |
|---|
comment:1 by , 16 years ago
| Has patch: | set |
|---|
comment:2 by , 16 years ago
I don't think it is a bug
You need to use the following syntax cursor.execute(sql, [params]). If you perform a direct substitution it will have security issues.
http://docs.djangoproject.com/en/dev/topics/db/sql/#performing-raw-sql-queries
comment:3 by , 16 years ago
I'm pretty sure using cursor.execute would not work in this case because the value to be inserted is the table name; the second argument to cursor.execute is used for escaping values. Django specifically provides connection.ops.quote_name to quote the table name, which is what my patch updates the code to use.
The fact that no escaping is happening at all at the moment means that there is a bit of a security issue as it stands, though is not really exploitable because the table name comes from the settings file rather than end-user input.
comment:4 by , 16 years ago
| milestone: | → 1.2 |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:5 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Patch and tests