mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-25 05:04:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.

Browse source
This commit is contained in:
Simon Charette 2019-12-31 12:46:06 -05:00 committed by Carlton Gibson
parent 6b178a3e93
commit eb31d84532
7 changed files with 45 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

4
tests/postgres_tests/test_aggregates.py
View file

@ -169,6 +169,10 @@ class TestGeneralAggregate(PostgreSQLTestCase):
with self.assertRaises(TypeError):
AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field'))
def test_string_agg_delimiter_escaping(self):
values = AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field', delimiter="'"))
self.assertEqual(values, {'stringagg': "Foo1'Foo2'Foo4'Foo3"})
def test_string_agg_charfield(self):
values = AggregateTestModel.objects.aggregate(stringagg=StringAgg('char_field', delimiter=';'))
self.assertEqual(values, {'stringagg': 'Foo1;Foo2;Foo4;Foo3'})