Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Fri, 02 Aug 2019 04:54:13 -0700 

#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.postgres  |                  Version:  2.2
     Severity:  Normal            |               Resolution:
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  0                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------
Description changed by felixxm:

Old description:

> JSONField/HStoreField key and index transforms crash when we pass
> expressions with parameters, e.g.
> {{{
> KeyTransform('x', RawSQL("%s::jsonb", ['{"x": "bar"}'])
> }}}
> this is caused by regression introduced in the last security release
> 7deeabc7c7526786df6894429ce89a9c4b614086, however `KeyTransform` is
> undocumented and such usage is untested.

New description:

 JSONField/HStoreField key and index transforms crash when we pass
 expressions with parameters, e.g.
 {{{
 KeyTransform('x', RawSQL("%s::jsonb", ['{"x": "bar"}'])
 }}}
 this is caused by regression introduced in the last security release
 7deeabc7c7526786df6894429ce89a9c4b614086, however `KeyTransform` is
 undocumented and such usage is untested.

 Crash for nested keys in
 
[https://github.com/django/django/blob/194d1dfc186cc8d2b35dabf64f3ed38b757cbd98/django/contrib/postgres/fields/jsonb.py#L109-L110
 KeyTransform] for `JSONField` is not a regression because it has not been
 changed since its introduction.

--

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.7c6686357c622f09c5f49cb4bd8d324c%40djangoproject.com.

Reply via email to