#37203: Escaped database metadata in inspectdb generated model code
-------------------------------------+-------------------------------------
Reporter: Mundur | Type: Bug
Status: new | Component: Core
| (Management commands)
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
inspectdb generates Python model source from database metadata. Most
generated metadata already uses repr-style escaping, but two paths still
interpolate database-provided values directly into generated
source text:
* composite primary-key column names in
models.CompositePrimaryKey(...)
* table names and exception messages emitted in introspection-error
comments
This can produce invalid or unintended generated model code for
unusual database schemas containing quotes or newlines.
Proposed fix:
* render CompositePrimaryKey column names with repr()
* render introspection-error table names/messages with repr-style
output
* add regression tests for both paths
A pull request with tests is available:
https://github.com/django/django/pull/21581
--
Ticket URL: <
https://code.djangoproject.com/ticket/37203>
Django <
https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.