Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.

2025-10-31 09:41:08 +00:00 · 2019-12-31 12:46:06 -05:00
parent 6b178a3e93
commit eb31d84532
7 changed files with 45 additions and 5 deletions
--- a/docs/releases/2.2.10.txt
+++ b/docs/releases/2.2.10.txt
@@ -0,0 +1,13 @@
+===========================
+Django 2.2.10 release notes
+===========================
+
+*February 3, 2020*
+
+Django 2.2.10 fixes a security issue in 2.2.9.
+
+CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
+===================================================================
+
+:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
+subject to SQL injection, using a suitably crafted ``delimiter``.