Opened 15 years ago

Closed 15 years ago

Last modified 13 years ago

#11623 closed (fixed)

django.core.cache.backends.db does not escape table names

Reported by: Fraser Nevett Owned by: nobody
Component: Core (Cache system) Version: dev
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The table name is simply inserted verbatim into the SQL using string formatting, for example:

cursor.execute("SELECT COUNT(*) FROM %s" % self._table)

If the table name contains characters that require escaping, the generated SQL will be invalid and cause errors to occur.

Attachments (1)

db-cache-quoting.diff (2.5 KB ) - added by Fraser Nevett 15 years ago.
Patch and tests

Download all attachments as: .zip

Change History (8)

by Fraser Nevett, 15 years ago

Attachment: db-cache-quoting.diff added

Patch and tests

comment:1 by Fraser Nevett, 15 years ago

Has patch: set

comment:2 by Alfredo, 15 years ago

I don't think it is a bug

You need to use the following syntax cursor.execute(sql, [params]). If you perform a direct substitution it will have security issues.

http://docs.djangoproject.com/en/dev/topics/db/sql/#performing-raw-sql-queries

comment:3 by Fraser Nevett, 15 years ago

I'm pretty sure using cursor.execute would not work in this case because the value to be inserted is the table name; the second argument to cursor.execute is used for escaping values. Django specifically provides connection.ops.quote_name to quote the table name, which is what my patch updates the code to use.

The fact that no escaping is happening at all at the moment means that there is a bit of a security issue as it stands, though is not really exploitable because the table name comes from the settings file rather than end-user input.

comment:4 by Russell Keith-Magee, 15 years ago

milestone: 1.2
Triage Stage: UnreviewedAccepted

comment:5 by Russell Keith-Magee, 15 years ago

Resolution: fixed
Status: newclosed

(In [12410]) Fixed #11623 -- Corrected table name quoting in db cache backend. Thanks to Fraser Nevett for the report and fix.

comment:6 by Russell Keith-Magee, 15 years ago

(In [12414]) [1.1.X] Fixed #11623 -- Corrected table name quoting in db cache backend. Thanks to Fraser Nevett for the report and fix.

Backport of r12410 from trunk.

comment:7 by Jacob, 13 years ago

milestone: 1.2

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top