Opened 6 years ago

Closed 5 years ago

Last modified 4 years ago

#11623 closed (fixed)

django.core.cache.backends.db does not escape table names

Reported by: frasern Owned by: nobody
Component: Core (Cache system) Version: master
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The table name is simply inserted verbatim into the SQL using string formatting, for example:

cursor.execute("SELECT COUNT(*) FROM %s" % self._table)

If the table name contains characters that require escaping, the generated SQL will be invalid and cause errors to occur.

Attachments (1)

db-cache-quoting.diff (2.5 KB) - added by frasern 6 years ago.
Patch and tests

Download all attachments as: .zip

Change History (8)

Changed 6 years ago by frasern

Patch and tests

comment:1 Changed 6 years ago by frasern

  • Has patch set

comment:2 Changed 6 years ago by Alfredo

I don't think it is a bug

You need to use the following syntax cursor.execute(sql, [params]). If you perform a direct substitution it will have security issues.

http://docs.djangoproject.com/en/dev/topics/db/sql/#performing-raw-sql-queries

comment:3 Changed 6 years ago by frasern

I'm pretty sure using cursor.execute would not work in this case because the value to be inserted is the table name; the second argument to cursor.execute is used for escaping values. Django specifically provides connection.ops.quote_name to quote the table name, which is what my patch updates the code to use.

The fact that no escaping is happening at all at the moment means that there is a bit of a security issue as it stands, though is not really exploitable because the table name comes from the settings file rather than end-user input.

comment:4 Changed 5 years ago by russellm

  • milestone set to 1.2
  • Triage Stage changed from Unreviewed to Accepted

comment:5 Changed 5 years ago by russellm

  • Resolution set to fixed
  • Status changed from new to closed

(In [12410]) Fixed #11623 -- Corrected table name quoting in db cache backend. Thanks to Fraser Nevett for the report and fix.

comment:6 Changed 5 years ago by russellm

(In [12414]) [1.1.X] Fixed #11623 -- Corrected table name quoting in db cache backend. Thanks to Fraser Nevett for the report and fix.

Backport of r12410 from trunk.

comment:7 Changed 4 years ago by jacob

  • milestone 1.2 deleted

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top