mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-24 05:36:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

[3.1.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by().

Browse source 
Regression introduced in 513948735b
by marking the raw SQL column reference feature for deprecation in
Django 4.0 while lifting the column format validation.

In retrospective the validation should have been kept around and the
user should have been pointed at using RawSQL expressions during the
deprecation period.

The main branch is not affected because the raw SQL column reference
support has been removed in 06eec31970
per the 4.0 deprecation life cycle.

Thanks Joel Saunders for the report.
This commit is contained in:
Simon Charette 2021-06-18 01:16:10 -04:00 committed by Mariusz Felisiak
parent 8dc1cc0b30
commit 0bd57a879a
4 changed files with 27 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

14
docs/releases/3.1.13.txt
View file

@ -6,4 +6,16 @@ Django 3.1.13 release notes
Django 3.1.13 fixes a security issues with severity "high" in 3.1.12.
...
CVE-2021-35042: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input
=====================================================================================
Unsanitized user input passed to ``QuerySet.order_by()`` could bypass intended
column reference validation in path marked for deprecation resulting in a
potential SQL injection even if a deprecation warning is emitted.
As a mitigation the strict column reference validation was restored for the
duration of the deprecation period. This regression appeared in 3.1 as a side
effect of fixing :ticket:`31426`.
The issue is not present in the main branch as the deprecated path has been
removed.