#37203 new Bug

Escaped database metadata in inspectdb generated model code

Reported by: Mundur Owned by:
Component: Core (Management commands) Version: dev
Severity: Normal Keywords:
Cc: Mundur Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

inspectdb generates Python model source from database metadata. Most generated metadata already uses repr-style escaping, but two paths still interpolate database-provided values directly into generated

source text:

  • composite primary-key column names in models.CompositePrimaryKey(...)
  • table names and exception messages emitted in introspection-error comments

This can produce invalid or unintended generated model code for unusual database schemas containing quotes or newlines.

Proposed fix:

  • render CompositePrimaryKey column names with repr()
  • render introspection-error table names/messages with repr-style output
  • add regression tests for both paths

A pull request with tests is available:
https://github.com/django/django/pull/21581

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top