[Django] #30672: JSONField/HStoreField key and index transforms crash.

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
#30672: JSONField/HStoreField key and index transforms crash.
--------------------------------------------+--------------------------
               Reporter:  felixxm           |          Owner:  felixxm
                   Type:  Bug               |         Status:  assigned
              Component:  contrib.postgres  |        Version:  2.2
               Severity:  Normal            |       Keywords:
           Triage Stage:  Unreviewed        |      Has patch:  0
    Needs documentation:  0                 |    Needs tests:  0
Patch needs improvement:  0                 |  Easy pickings:  0
                  UI/UX:  0                 |
--------------------------------------------+--------------------------
 JSONField/HStoreField key and index transforms crash when we pass
 expressions with parameters, e.g.
 {{{
 KeyTransform('x', RawSQL("%s::jsonb", ['{"x": "bar"}'])
 }}}
 this is caused by regression introduced in the last security release
 7deeabc7c7526786df6894429ce89a9c4b614086, however `KeyTransform` is
 undocumented and such usage is untested.

--
Ticket URL: <https://code.djangoproject.com/ticket/30672>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/050.533858de733cbb0cb89e4f7943c80dab%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.postgres  |                  Version:  2.2
     Severity:  Normal            |               Resolution:
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  0                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------
Changes (by Carlton Gibson):

 * stage:  Unreviewed => Accepted


Comment:

 Well, clearly a bug. I'm inclined to view this as ''new usage'', rather
 than a regression, but open to opinions.

--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.4e184ede213e89e85d795de66d335547%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.postgres  |                  Version:  2.2
     Severity:  Normal            |               Resolution:
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  0                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------
Description changed by felixxm:

Old description:

> JSONField/HStoreField key and index transforms crash when we pass
> expressions with parameters, e.g.
> {{{
> KeyTransform('x', RawSQL("%s::jsonb", ['{"x": "bar"}'])
> }}}
> this is caused by regression introduced in the last security release
> 7deeabc7c7526786df6894429ce89a9c4b614086, however `KeyTransform` is
> undocumented and such usage is untested.

New description:

 JSONField/HStoreField key and index transforms crash when we pass
 expressions with parameters, e.g.
 {{{
 KeyTransform('x', RawSQL("%s::jsonb", ['{"x": "bar"}'])
 }}}
 this is caused by regression introduced in the last security release
 7deeabc7c7526786df6894429ce89a9c4b614086, however `KeyTransform` is
 undocumented and such usage is untested.

 Crash for nested keys in
 [https://github.com/django/django/blob/194d1dfc186cc8d2b35dabf64f3ed38b757cbd98/django/contrib/postgres/fields/jsonb.py#L109-L110
 KeyTransform] for `JSONField` is not a regression because it has not been
 changed since its introduction.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.7c6686357c622f09c5f49cb4bd8d324c%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.postgres  |                  Version:  master
     Severity:  Normal            |               Resolution:
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  0                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------
Changes (by felixxm):

 * version:  2.2 => master


Old description:

> JSONField/HStoreField key and index transforms crash when we pass
> expressions with parameters, e.g.
> {{{
> KeyTransform('x', RawSQL("%s::jsonb", ['{"x": "bar"}'])
> }}}
> this is caused by regression introduced in the last security release
> 7deeabc7c7526786df6894429ce89a9c4b614086, however `KeyTransform` is
> undocumented and such usage is untested.
>
> Crash for nested keys in
> [https://github.com/django/django/blob/194d1dfc186cc8d2b35dabf64f3ed38b757cbd98/django/contrib/postgres/fields/jsonb.py#L109-L110
> KeyTransform] for `JSONField` is not a regression because it has not been
> changed since its introduction.
New description:

 JSONField/HStoreField key and index transforms crash when we pass
 expressions with parameters, e.g.
 {{{
 KeyTransform('x', RawSQL("%s::jsonb", ['{"x": "bar"}'])
 }}}
 ~~this is caused by regression introduced in the last security release
 7deeabc7c7526786df6894429ce89a9c4b614086~~, however `KeyTransform` is
 undocumented and such usage is untested.

 Crash for nested keys in
 [https://github.com/django/django/blob/194d1dfc186cc8d2b35dabf64f3ed38b757cbd98/django/contrib/postgres/fields/jsonb.py#L109-L110
 KeyTransform] for `JSONField` is not a regression because it has not been
 changed since its introduction.

--

Comment:

 OK, it seems that it's not a regression because these transforms crashed
 (when we pass expressions with parameters) even before
 7deeabc7c7526786df6894429ce89a9c4b614086. Of course from a different
 reason.

--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.2819a8297055ebcd87a08f4b66c5d139%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.postgres  |                  Version:  master
     Severity:  Normal            |               Resolution:
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  1                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------
Changes (by felixxm):

 * has_patch:  0 => 1


Comment:

 [https://github.com/django/django/pull/11617 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.0dbc4a1bb0ed6257834222102f17da2d%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.postgres  |                  Version:  master
     Severity:  Normal            |               Resolution:
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  1                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------
Description changed by felixxm:

Old description:

> JSONField/HStoreField key and index transforms crash when we pass
> expressions with parameters, e.g.
> {{{
> KeyTransform('x', RawSQL("%s::jsonb", ['{"x": "bar"}'])
> }}}
> ~~this is caused by regression introduced in the last security release
> 7deeabc7c7526786df6894429ce89a9c4b614086~~, however `KeyTransform` is
> undocumented and such usage is untested.
>
> Crash for nested keys in
> [https://github.com/django/django/blob/194d1dfc186cc8d2b35dabf64f3ed38b757cbd98/django/contrib/postgres/fields/jsonb.py#L109-L110
> KeyTransform] for `JSONField` is not a regression because it has not been
> changed since its introduction.
New description:

 JSONField/HStoreField key and index transforms crash when we pass
 expressions with parameters, e.g.
 {{{
 KeyTransform('x', RawSQL("%s::jsonb", ['{"x": "bar"}'])
 }}}
 this is caused by regression introduced in the last security release
 7deeabc7c7526786df6894429ce89a9c4b614086, however `KeyTransform` is
 undocumented and such usage is untested.

 Crash for nested keys in
 [https://github.com/django/django/blob/194d1dfc186cc8d2b35dabf64f3ed38b757cbd98/django/contrib/postgres/fields/jsonb.py#L109-L110
 KeyTransform] for `JSONField` is not a regression because it has not been
 changed since its introduction.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.0fc8ee61a339a60229ee8d8b2e346da5%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.postgres  |                  Version:  1.11
     Severity:  Normal            |               Resolution:
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  1                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------
Changes (by felixxm):

 * version:  master => 1.11


--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.a597ceadc9dcc41992fe0c6b11cfd0db%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.postgres  |                  Version:  1.11
     Severity:  Release blocker   |               Resolution:
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  1                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------
Changes (by felixxm):

 * severity:  Normal => Release blocker


--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.0b60d9091c936e917df2b56045482ec4%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.postgres  |                  Version:  1.11
     Severity:  Release blocker   |               Resolution:
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  1                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------

Comment (by felixxm):

 I moved an issue with nested transforms to a separate ticket #30704
 because it is not a regression.

--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.44926678b5a78cfb90972859677eb824%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  closed
    Component:  contrib.postgres  |                  Version:  1.11
     Severity:  Release blocker   |               Resolution:  fixed
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  1                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------
Changes (by GitHub <noreply@…>):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"1f8382d34d54061eddc41df6994e20ee38c60907" 1f8382d3]:
 {{{
 #!CommitTicketReference repository=""
 revision="1f8382d34d54061eddc41df6994e20ee38c60907"
 Fixed #30672 -- Fixed crash of JSONField/HStoreField key transforms on
 expressions with params.

 Regression in 4f5b58f5cd3c57fee9972ab074f8dc6895d8f387.

 Thanks Florian Apolloner for the report and helping with tests.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.023fcd60a99197dde08146f0ddf1746c%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  closed
    Component:  contrib.postgres  |                  Version:  1.11
     Severity:  Release blocker   |               Resolution:  fixed
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  1                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------

Comment (by Mariusz Felisiak <felisiak.mariusz@…>):

 In [changeset:"52a7759a4916484953c8e5a7d2f260dd1c1e3c12" 52a7759a]:
 {{{
 #!CommitTicketReference repository=""
 revision="52a7759a4916484953c8e5a7d2f260dd1c1e3c12"
 [2.2.x] Fixed #30672 -- Fixed crash of JSONField/HStoreField key
 transforms on expressions with params.

 Regression in 4f5b58f5cd3c57fee9972ab074f8dc6895d8f387.

 Thanks Florian Apolloner for the report and helping with tests.

 Backport of 1f8382d34d54061eddc41df6994e20ee38c60907 from master.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:10>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.65ed9aedd73214418aae18cdbee86e8f%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  closed
    Component:  contrib.postgres  |                  Version:  1.11
     Severity:  Release blocker   |               Resolution:  fixed
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  1                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------

Comment (by Mariusz Felisiak <felisiak.mariusz@…>):

 In [changeset:"968b9af9b7f7e49af17fc82de5a2de9a91b86e44" 968b9af9]:
 {{{
 #!CommitTicketReference repository=""
 revision="968b9af9b7f7e49af17fc82de5a2de9a91b86e44"
 [2.1.x] Fixed #30672 -- Fixed crash of JSONField/HStoreField key
 transforms on expressions with params.

 Regression in 4f5b58f5cd3c57fee9972ab074f8dc6895d8f387.

 Thanks Florian Apolloner for the report and helping with tests.

 Backport of 1f8382d34d54061eddc41df6994e20ee38c60907 from master.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.74e128940ca4a59e891ed4c0f0ceb047%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30672: JSONField/HStoreField key and index transforms crash.

Django
In reply to this post by Django
#30672: JSONField/HStoreField key and index transforms crash.
----------------------------------+------------------------------------
     Reporter:  felixxm           |                    Owner:  felixxm
         Type:  Bug               |                   Status:  closed
    Component:  contrib.postgres  |                  Version:  1.11
     Severity:  Release blocker   |               Resolution:  fixed
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  1                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  0
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+------------------------------------

Comment (by Mariusz Felisiak <felisiak.mariusz@…>):

 In [changeset:"473c526b1b014e73e139665db2ddbbcee23bb826" 473c526b]:
 {{{
 #!CommitTicketReference repository=""
 revision="473c526b1b014e73e139665db2ddbbcee23bb826"
 [1.11.x] Fixed #30672 -- Fixed crash of JSONField/HStoreField key
 transforms on expressions with params.

 Regression in 4f5b58f5cd3c57fee9972ab074f8dc6895d8f387.

 Thanks Florian Apolloner for the report and helping with tests.

 Backport of 1f8382d34d54061eddc41df6994e20ee38c60907 from master.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30672#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.b66849332ef5b7879f214a25dabf4332%40djangoproject.com.