diff options
| author | Mike Bayer <mike_mp@zzzcomputing.com> | 2022-10-27 09:28:02 -0400 |
|---|---|---|
| committer | Mike Bayer <mike_mp@zzzcomputing.com> | 2022-10-27 09:28:02 -0400 |
| commit | caa9f0ff98d44359f5162bca8e7fe7bcaa2989a7 (patch) | |
| tree | 4c5dc28f076179e1a7bf8c45b9c916c480d53d69 /lib/sqlalchemy/sql | |
| parent | 811979150cd9f1aed3d6de6938b84179b2092b89 (diff) | |
| download | sqlalchemy-caa9f0ff98d44359f5162bca8e7fe7bcaa2989a7.tar.gz | |
apply basic escaping to anon_labels unconditionally
Fixed issue which prevented the :func:`_sql.literal_column` construct from
working properly within the context of a :class:`.Select` construct as well
as other potential places where "anonymized labels" might be generated, if
the literal expression contained characters which could interfere with
format strings, such as open parenthesis, due to an implementation detail
of the "anonymous label" structure.
Fixes: #8724
Change-Id: I3089124fbd055a011c8a245964258503b717d941
Diffstat (limited to 'lib/sqlalchemy/sql')
| -rw-r--r-- | lib/sqlalchemy/sql/elements.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/sqlalchemy/sql/elements.py b/lib/sqlalchemy/sql/elements.py index 8167dc7e4..3f4381c1a 100644 --- a/lib/sqlalchemy/sql/elements.py +++ b/lib/sqlalchemy/sql/elements.py @@ -5063,8 +5063,13 @@ class _anonymous_label(_truncated_label): sanitize_key: bool = False, ) -> _anonymous_label: + # need to escape chars that interfere with format + # strings in any case, issue #8724 + body = re.sub(r"[%\(\) \$]+", "_", body) + if sanitize_key: - body = re.sub(r"[%\(\) \$]+", "_", body).strip("_") + # sanitize_key is then an extra step used by BindParameter + body = body.strip("_") label = "%%(%d %s)s" % (seed, body.replace("%", "%%")) if enclosing_label: |