Possible bug - Incorrect escaping in Django SQL query
55 views
Skip to first unread message
Roshan Raghupathy
Jun 1, 2017, 5:59:17 AM6/1/17
to Django users
Hi,
I came across an issue yesterday. Post on stackoverflow
On further investigation today, I think I found the source of the issue. It's this line. The parameters which are escaped here are never reverted back to the original form.
I tested a dirty fix by converting all '%%s' to '%s' and the query worked. Should I submit a bug? Has it been submitted already?
Michal Petrucha
Jun 2, 2017, 5:15:23 AM6/2/17
to Django users
On Thu, Jun 01, 2017 at 02:29:17AM -0700, Roshan Raghupathy wrote:
> Hi,
> I came across an issue yesterday. Post on stackoverflow
> <https://stackoverflow.com/questions/44287443/incorrect-escaping-in-django-sql-query>
> Hi,
> I came across an issue yesterday. Post on stackoverflow
>
> On further investigation today, I think I found the source of the issue.
> It's this line
> <https://github.com/django/django/blob/master/django/db/models/functions/datetime.py#L149>.
> On further investigation today, I think I found the source of the issue.
> It's this line
> The parameters which are escaped here are never reverted back to the
> original form.
> I tested a dirty fix by converting all '%%s' to '%s' and the query worked.
> Should I submit a bug? Has it been submitted already?
Hi Roshan,
> original form.
> I tested a dirty fix by converting all '%%s' to '%s' and the query worked.
> Should I submit a bug? Has it been submitted already?
I just took a quick look, and it seems you are right – in all of the
official backend implementations, the *_trunc_sql only use the second
argument in the right-hand side of string formatting, so this
double-percent escaping appears to be wrong there.
I did a quick search through the issue tracker, and didn't find
anything about this issue, would you mind submitting a new bug report?
It would be best if you could include a complete minimal example that
we could easily run to reproduce the problem.
Thanks,
Michal
Tim Graham
Jun 2, 2017, 12:16:14 PM6/2/17
to Django users
Cross posted to django-developers: https://groups.google.com/d/topic/django-developers/sIjOXpbQWZ0/discussion
In the future, please keep the conversation in one place. django-users is fine for asking "is it a bug?" questions.
In the future, please keep the conversation in one place. django-users is fine for asking "is it a bug?" questions.
My reply from django-developers:
I couldn't find any testing of TruncDay with Value().
Is there a difference between the query you're trying to construct and MyModel.objects.filter(created__lt=timezone.now().date()) ?
Is there a difference between the query you're trying to construct and MyModel.objects.filter(created__lt=timezone.now().date()) ?
Reply all
Reply to author
Forward
0 new messages