mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-30 09:06:13 +00:00
Code Issues 32 Releases Wiki Activity

[3.0.x] Fixed #30769 -- Fixed a crash when filtering against a subquery JSON/HStoreField annotation.

Browse Source 
This was a regression introduced by 7deeabc7c7
to address CVE-2019-14234.

Thanks Tim Kleinschmidt for the report and Mariusz for the tests.

Backport of 6c3dfba892 from master
This commit is contained in:
Simon Charette
2019-09-15 23:25:50 -04:00
committed by Mariusz Felisiak
parent 7bd28727ad
commit 574154ef56
7 changed files with 27 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tests/postgres_tests/test_hstore.py
View File

@@ -2,7 +2,7 @@ import json
from django.core import checks, exceptions, serializers
from django.db import connection
from django.db.models.expressions import RawSQL
from django.db.models.expressions import OuterRef, RawSQL, Subquery
from django.forms import Form
from django.test.utils import CaptureQueriesContext, isolate_apps
@@ -207,6 +207,12 @@ class TestQuerying(PostgreSQLTestCase):
queries[0]['sql'],
)
def test_obj_subquery_lookup(self):
qs = HStoreModel.objects.annotate(
value=Subquery(HStoreModel.objects.filter(pk=OuterRef('pk')).values('field')),
).filter(value__a='b')
self.assertSequenceEqual(qs, self.objs[:2])
@isolate_apps('postgres_tests')
class TestChecks(PostgreSQLSimpleTestCase):

8
tests/postgres_tests/test_json.py
View File

@@ -6,7 +6,7 @@ from decimal import Decimal
from django.core import checks, exceptions, serializers
from django.core.serializers.json import DjangoJSONEncoder
from django.db import connection
from django.db.models import Count, F, Q
from django.db.models import Count, F, OuterRef, Q, Subquery
from django.db.models.expressions import RawSQL
from django.db.models.functions import Cast
from django.forms import CharField, Form, widgets
@@ -303,6 +303,12 @@ class TestQuerying(PostgreSQLTestCase):
[self.objs[7], self.objs[8]]
)
def test_obj_subquery_lookup(self):
qs = JSONModel.objects.annotate(
value=Subquery(JSONModel.objects.filter(pk=OuterRef('pk')).values('field')),
).filter(value__a='b')
self.assertSequenceEqual(qs, [self.objs[7], self.objs[8]])
def test_deep_lookup_objs(self):
self.assertSequenceEqual(
JSONModel.objects.filter(field__k__l='m'),