[PATCH 4/4] views/user: string interpolation in raw SQL is safe here
Daniel Axtens
dja at axtens.net
Wed Jan 31 02:36:11 AEDT 2018
There's a FIXME asking for some generated SQL that uses string
interpolation to be investigated.
I investigated.
It's safe - it only interpolates table/column names, not
user-controlled data.
Replace the FIXME with an explanatory statement.
Signed-off-by: Daniel Axtens <dja at axtens.net>
---
patchwork/views/user.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/patchwork/views/user.py b/patchwork/views/user.py
index 79c615aa2da0..2a2d704679e0 100644
--- a/patchwork/views/user.py
+++ b/patchwork/views/user.py
@@ -117,7 +117,11 @@ def profile(request):
'profileform': form,
}
- # FIXME(stephenfin): This looks unsafe. Investigate.
+ # This looks unsafe but is actually fine: it just gets the names
+ # of tables and columns, not user-supplied data.
+ #
+ # An example of generated SQL is:
+ # patchwork_person.email IN (SELECT email FROM patchwork_emailoptout)
optout_query = '%s.%s IN (SELECT %s FROM %s)' % (
Person._meta.db_table,
Person._meta.get_field('email').column,
--
2.14.1
More information about the Patchwork
mailing list