#37203: inspectdb doesn't account for normalized field names when building
CompositePrimaryKey
-------------------------------------+-------------------------------------
Reporter: Mundur | Owner: (none)
Type: Bug | Status: new
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: inspectdb, | Triage Stage: Accepted
compositeprimarykey |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
* keywords: => inspectdb, compositeprimarykey
* needs_better_patch: 0 => 1
* stage: Unreviewed => Accepted
* summary: Escaped database metadata in inspectdb generated model code =>
inspectdb doesn't account for normalized field names when building
CompositePrimaryKey
Comment:
Thanks for the report. Your test demonstrates a more serious issue than
the invalid python identifiers -- we're calculating the field names for
the positional arguments to `CompositePrimaryKey` ''before'' those field
names are potentially rewritten in `normalize_col_name()`. In other words,
your provided test asserts that the first positional argument is `x',
'safe');__import__('os').system('echo unsafe')#`, but it should really be
`x_safe_import_os_system_echo_unsafe_field`.
We can fix the `repr()` inconsistencies you found along the way, but I'd
like to reframe this ticket along the above lines. If you continue with
this, please assign yourself in the owner field, and please also choose a
simpler example -- the given example is giving "security exploit", but
that's a distraction here (deploying a malicious column name implies full
system compromise already).
--
Ticket URL: <
https://code.djangoproject.com/ticket/37203#comment:2>
Django <
https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.