Re: [Django] #24605: Database identifiers are not properly escaped in some queries

[Django]

#24605: Database identifiers are not properly escaped in some queries
-------------------------------------+-------------------------------------
     Reporter:  kurevin              |                    Owner:
                                     |  priidukull
         Type:  Bug                  |                   Status:  assigned
    Component:  Database layer       |                  Version:  1.7
  (models, ORM)                      |
     Severity:  Release blocker      |               Resolution:
     Keywords:  regression,          |             Triage Stage:  Accepted
  database                           |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by priidukull):

 I have reproduced the issue by having added the following lines into the
 tests.queries module:

 tests.py:

 {{{
 class TestTicket24605(TestCase):
     def test_ticket_24605(self):
         results = Amodel.objects.exclude(bmodel__id=False,
 cmodel__isnull=True)
         self.assertEqual(0, len(results))
 }}}

 models.py:

 {{{
 class Bmodel(models.Model):
     id = models.AutoField(primary_key=True)
     is_active = models.BooleanField()

     class Meta:
         db_table = 'Bmodel'


 class Amodel(models.Model):
     active = models.BooleanField()
     bmodel = models.ForeignKey(Bmodel, related_name='Amodel_bmodel')

     class Meta:
         db_table = 'Amodel'


 class Cmodel(models.Model):
     amodel = models.ForeignKey(Amodel)

     class Meta:
         db_table = 'Cmodel'
 }}}

 However, the test does not fail every time it runs. I have run the test
 for 100 consecutive times twice. Passed 42 times the first time I ran it
 and 45 times the second time I ran it. Whether the test fails or passes
 depends on in which order the children of the Q-object are iterated over.
 The test fails if the order of {{{q_object.children}}} is:

 {{{('bmodel__id', False), ('cmodel__isnull', True) }}}

 and passes when the order is inverse.

 The order of q_object children is determined in the method
 {{{Q.__init__()}}}

 {{{        super(Q, self).__init__(children=list(args) +
 list(six.iteritems(kwargs)))   }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/24605#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.f535fb285bf8d16209326bc48e079d1b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.