#23259: Query extra() select_params are inserted in the incorrect order in the
overall query parameters with values_list
-------------------------------------+-------------------------------------
Reporter: rajivm | Owner: nobody
Type: Bug | Status: new
Component: Database layer | Version: 1.7-rc-2
(models, ORM) | Resolution:
Severity: Release blocker | Triage Stage: Accepted
Keywords: | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by akaariai):
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
Comment:
I don't agree with security ramifications here. Yes, there could be some
cases where this could lead to users seeing data they aren't supposed to.
But, any bug in the ORM that produces wrong results qualify for that, and
we definitely are not going to interpret all ORM bugs as security issues.
However, this is a regression and thus a release blocker.
I haven't tested this myself, but based on the research done this seems
valid, so marking as accepted.
--
Ticket URL: <https://code.djangoproject.com/ticket/23259#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/064.bf32c79fc7997cbd01eca0fd6696ed52%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
