Opened 70 minutes ago
#37203 new Bug
Escaped database metadata in inspectdb generated model code
| Reported by: | Mundur | Owned by: | |
|---|---|---|---|
| Component: | Core (Management commands) | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Mundur | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
inspectdb generates Python model source from database metadata. Most generated metadata already uses repr-style escaping, but two paths still interpolate database-provided values directly into generated
source text:
- composite primary-key column names in models.CompositePrimaryKey(...)
- table names and exception messages emitted in introspection-error comments
This can produce invalid or unintended generated model code for unusual database schemas containing quotes or newlines.
Proposed fix:
- render CompositePrimaryKey column names with repr()
- render introspection-error table names/messages with repr-style output
- add regression tests for both paths
A pull request with tests is available:
https://github.com/django/django/pull/21581
Note:
See TracTickets
for help on using tickets.