[4.1.x] Refs CVE-2022-34265 -- Properly escaped Extract() and Trunc() parameters.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Backport of 877c800f25 from main
2025-10-31 09:41:08 +00:00 · 2022-06-19 23:46:22 -04:00
parent 14057603c7
commit 585ed2f6d7
10 changed files with 263 additions and 220 deletions
--- a/tests/custom_lookups/tests.py
+++ b/tests/custom_lookups/tests.py
@@ -75,7 +75,7 @@ class YearTransform(models.Transform):

    def as_sql(self, compiler, connection):
        lhs_sql, params = compiler.compile(self.lhs)
-        return connection.ops.date_extract_sql("year", lhs_sql), params
+        return connection.ops.date_extract_sql("year", lhs_sql, params)

    @property
    def output_field(self):