[Django] #37203: Escaped database metadata in inspectdb generated model code

7 views
Skip to first unread message

Django

unread,
Jul 5, 2026, 11:33:23 AM (17 hours ago) Jul 5
to django-...@googlegroups.com
#37203: Escaped database metadata in inspectdb generated model code
-------------------------------------+-------------------------------------
Reporter: Mundur | Type: Bug
Status: new | Component: Core
| (Management commands)
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
inspectdb generates Python model source from database metadata. Most
generated metadata already uses repr-style escaping, but two paths still
interpolate database-provided values directly into generated
source text:

* composite primary-key column names in
models.CompositePrimaryKey(...)
* table names and exception messages emitted in introspection-error
comments

This can produce invalid or unintended generated model code for
unusual database schemas containing quotes or newlines.

Proposed fix:
* render CompositePrimaryKey column names with repr()
* render introspection-error table names/messages with repr-style
output
* add regression tests for both paths

A pull request with tests is available:
https://github.com/django/django/pull/21581
--
Ticket URL: <https://code.djangoproject.com/ticket/37203>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Jul 5, 2026, 1:20:45 PM (15 hours ago) Jul 5
to django-...@googlegroups.com
#37203: Escaped database metadata in inspectdb generated model code
-------------------------------------+-------------------------------------
Reporter: Mundur | Owner: (none)
Type: Bug | Status: new
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by David Smith:

Old description:

> inspectdb generates Python model source from database metadata. Most
> generated metadata already uses repr-style escaping, but two paths still
> interpolate database-provided values directly into generated
> source text:
>
> * composite primary-key column names in
> models.CompositePrimaryKey(...)
> * table names and exception messages emitted in introspection-error
> comments
>
> This can produce invalid or unintended generated model code for
> unusual database schemas containing quotes or newlines.
>
> Proposed fix:
> * render CompositePrimaryKey column names with repr()
> * render introspection-error table names/messages with repr-style
> output
> * add regression tests for both paths
>
> A pull request with tests is available:
> https://github.com/django/django/pull/21581

New description:

inspectdb generates Python model source from database metadata. Most
generated metadata already uses repr-style escaping, but two paths still
interpolate database-provided values directly into generated source text:

* composite primary-key column names in
models.CompositePrimaryKey(...)
* table names and exception messages emitted in introspection-error
comments

This can produce invalid or unintended generated model code for unusual
database schemas containing quotes or newlines.

Proposed fix:
* render CompositePrimaryKey column names with repr()
* render introspection-error table names/messages with repr-style
output
* add regression tests for both paths

A pull request with tests is available:
https://github.com/django/django/pull/21581

--
--
Ticket URL: <https://code.djangoproject.com/ticket/37203#comment:1>
Reply all
Reply to author
Forward
0 new messages