mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Fixed #34553 -- Fixed improper % escaping of literal in constraints.
Proper escaping of % in string literals used when defining constaints was attempted (a8b3f96f6) by overriding quote_value of Postgres and Oracle schema editor. The same approach was used when adding support for constraints to the MySQL/MariaDB backend (1fc2c70). Later on it was discovered that this approach was not appropriate and that a preferable one was to pass params=None when executing the constraint creation DDL to avoid any form of interpolation in the first place (42e8cf47). When the second patch was applied the corrective of the first were not removed which caused % literals to be unnecessary doubled. This flew under the radar because the existings test were crafted in a way that consecutive %% didn't catch regressions. This commit introduces an extra test for __exact lookups which highlights more adequately % doubling problems but also adjust a previous __endswith test to cover % doubling problems (%\% -> %%\%%). Thanks Thomas Kolar for the report. Refs #32369, #30408, #30593.
This commit is contained in:
		
				
					committed by
					
						 Mariusz Felisiak
						Mariusz Felisiak
					
				
			
			
				
	
			
			
			
						parent
						
							e0f8104a96
						
					
				
				
					commit
					ffff17d4b0
				
			| @@ -56,8 +56,6 @@ class DatabaseSchemaEditor(BaseDatabaseSchemaEditor): | |||||||
|  |  | ||||||
|     def quote_value(self, value): |     def quote_value(self, value): | ||||||
|         self.connection.ensure_connection() |         self.connection.ensure_connection() | ||||||
|         if isinstance(value, str): |  | ||||||
|             value = value.replace("%", "%%") |  | ||||||
|         # MySQLdb escapes to string, PyMySQL to bytes. |         # MySQLdb escapes to string, PyMySQL to bytes. | ||||||
|         quoted = self.connection.connection.escape( |         quoted = self.connection.connection.escape( | ||||||
|             value, self.connection.connection.encoders |             value, self.connection.connection.encoders | ||||||
|   | |||||||
| @@ -32,7 +32,7 @@ class DatabaseSchemaEditor(BaseDatabaseSchemaEditor): | |||||||
|         elif isinstance(value, datetime.timedelta): |         elif isinstance(value, datetime.timedelta): | ||||||
|             return "'%s'" % duration_iso_string(value) |             return "'%s'" % duration_iso_string(value) | ||||||
|         elif isinstance(value, str): |         elif isinstance(value, str): | ||||||
|             return "'%s'" % value.replace("'", "''").replace("%", "%%") |             return "'%s'" % value.replace("'", "''") | ||||||
|         elif isinstance(value, (bytes, bytearray, memoryview)): |         elif isinstance(value, (bytes, bytearray, memoryview)): | ||||||
|             return "'%s'" % value.hex() |             return "'%s'" % value.hex() | ||||||
|         elif isinstance(value, bool): |         elif isinstance(value, bool): | ||||||
|   | |||||||
| @@ -56,8 +56,6 @@ class DatabaseSchemaEditor(BaseDatabaseSchemaEditor): | |||||||
|     ) |     ) | ||||||
|  |  | ||||||
|     def quote_value(self, value): |     def quote_value(self, value): | ||||||
|         if isinstance(value, str): |  | ||||||
|             value = value.replace("%", "%%") |  | ||||||
|         return sql.quote(value, self.connection.connection) |         return sql.quote(value, self.connection.connection) | ||||||
|  |  | ||||||
|     def _field_indexes_sql(self, model, field): |     def _field_indexes_sql(self, model, field): | ||||||
|   | |||||||
| @@ -3662,7 +3662,7 @@ class OperationTests(OperationTestBase): | |||||||
|             ), |             ), | ||||||
|             # Literal "%" should be escaped in a way that is not a considered a |             # Literal "%" should be escaped in a way that is not a considered a | ||||||
|             # wildcard. |             # wildcard. | ||||||
|             (models.Q(rebate__endswith="%"), {"rebate": "10%"}, {"rebate": "10$"}), |             (models.Q(rebate__endswith="%"), {"rebate": "10%"}, {"rebate": "10%$"}), | ||||||
|             # Right-hand-side baked "%" literals should not be used for |             # Right-hand-side baked "%" literals should not be used for | ||||||
|             # parameters interpolation. |             # parameters interpolation. | ||||||
|             ( |             ( | ||||||
| @@ -3670,6 +3670,12 @@ class OperationTests(OperationTestBase): | |||||||
|                 {"name": "Albert"}, |                 {"name": "Albert"}, | ||||||
|                 {"name": "Albert", "surname": "Alberto"}, |                 {"name": "Albert", "surname": "Alberto"}, | ||||||
|             ), |             ), | ||||||
|  |             # Exact matches against "%" literals should also be supported. | ||||||
|  |             ( | ||||||
|  |                 models.Q(name="%"), | ||||||
|  |                 {"name": "%"}, | ||||||
|  |                 {"name": "Albert"}, | ||||||
|  |             ), | ||||||
|         ] |         ] | ||||||
|         for check, valid, invalid in checks: |         for check, valid, invalid in checks: | ||||||
|             with self.subTest(check=check, valid=valid, invalid=invalid): |             with self.subTest(check=check, valid=valid, invalid=invalid): | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user