Opened 11 months ago

Closed 11 months ago

Last modified 11 months ago

#22493 closed Cleanup/optimization (fixed)

Documentation for raw() and extra() should warn about SQL injection

Reported by: erikr Owned by: mardini
Component: Documentation Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Using the raw() and extra() methods can result in SQL injection vulnerabilities, if not used carefully. However, the documentation does not mention this. The Security in Django document does include a warning regarding raw() and extra(), but I think a SQL injection is potentially so severe that we should also note this in the documentation for raw() and extra() itself.

Change History (5)

comment:1 Changed 11 months ago by timo

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

extra() does say "Always use params instead of embedding values directly into where because params will ensure values are quoted correctly according to your particular backend. For example, quotes will be escaped correctly." but I agree this warning is not very prominent.

comment:2 Changed 11 months ago by mardini

  • Owner changed from nobody to mardini
  • Status changed from new to assigned

comment:3 Changed 11 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In 3776926cfe503f16c7195621da20c5b89bda70a2:

Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

comment:4 Changed 11 months ago by Tim Graham <timograham@…>

In 2b0e9aa57d4c5b5dbad7d300b4e383d384941034:

[1.6.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe503f16c7195621da20c5b89bda70a2 from master

comment:5 Changed 11 months ago by Tim Graham <timograham@…>

In ae1535606145df9c858d4c5a5a2d9a9cff9f3992:

[1.7.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe from master

Note: See TracTickets for help on using tickets.
Back to Top