Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL.

author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-04-01 13:48:47 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-04-11 08:59:58 +0200
commit: 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 (patch)
tree: 59bbe514736c482903de4d92046e9f58594680d3 /django/db/backends/postgresql/operations.py
parent: 93cae5cb2f9a4ef1514cf1a41f714fef08005200 (diff)
download: django-6723a26e59b0b5429a0c5873941e01a2e1bdbb81.tar.gz
1 files changed, 23 insertions, 8 deletions
diff --git a/django/db/backends/postgresql/operations.py b/django/db/backends/postgresql/operations.py
index 946baea212..ab451ac63f 100644
--- a/django/db/backends/postgresql/operations.py
+++ b/django/db/backends/postgresql/operations.py
@@ -9,6 +9,18 @@ from django.db.models.constants import OnConflict
 class DatabaseOperations(BaseDatabaseOperations):
     cast_char_field_without_max_length = "varchar"
     explain_prefix = "EXPLAIN"
+    explain_options = frozenset(
+        [
+            "ANALYZE",
+            "BUFFERS",
+            "COSTS",
+            "SETTINGS",
+            "SUMMARY",
+            "TIMING",
+            "VERBOSE",
+            "WAL",
+        ]
+    )
     cast_data_types = {
         "AutoField": "integer",
         "BigAutoField": "bigint",
@@ -298,17 +310,20 @@ class DatabaseOperations(BaseDatabaseOperations):
         return super().subtract_temporals(internal_type, lhs, rhs)
 
     def explain_query_prefix(self, format=None, **options):
-        prefix = super().explain_query_prefix(format)
         extra = {}
+        # Normalize options.
+        if options:
+            options = {
+                name.upper(): "true" if value else "false"
+                for name, value in options.items()
+            }
+            for valid_option in self.explain_options:
+                value = options.pop(valid_option, None)
+                if value is not None:
+                    extra[valid_option.upper()] = value
+        prefix = super().explain_query_prefix(format, **options)
         if format:
             extra["FORMAT"] = format
-        if options:
-            extra.update(
-                {
-                    name.upper(): "true" if value else "false"
-                    for name, value in options.items()
-                }
-            )
         if extra:
             prefix += " (%s)" % ", ".join("%s %s" % i for i in extra.items())
         return prefix
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-04-01 13:48:47 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-04-11 08:59:58 +0200
commit	6723a26e59b0b5429a0c5873941e01a2e1bdbb81 (patch)
tree	59bbe514736c482903de4d92046e9f58594680d3 /django/db/backends/postgresql/operations.py
parent	93cae5cb2f9a4ef1514cf1a41f714fef08005200 (diff)
download	django-6723a26e59b0b5429a0c5873941e01a2e1bdbb81.tar.gz