Django: CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Django: CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Mariusz Felisiak &lt;felisiak.mariusz () gmail com&gt;

Date: Thu, 1 Jul 2021 10:08:07 +0200

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://www.djangoproject.com/weblog/2021/jul/01/security-releases/

In accordance with `our security release policy
&lt;https://docs.djangoproject.com/en/dev/internals/security/&gt;`_, the 
Django team
is issuing
`Django 3.2.5 &lt;https://docs.djangoproject.com/en/dev/releases/3.2.5/&gt;`_ and
`Django 3.1.13 &lt;https://docs.djangoproject.com/en/dev/releases/3.1.13/&gt;`_.
These releases address the security issue with severity "high" detailed 
below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-35042: Potential SQL injection via unsanitized 
``QuerySet.order_by()`` input
=====================================================================================

Unsanitized user input passed to ``QuerySet.order_by()`` could bypass 
intended
column reference validation in path marked for deprecation resulting in a
potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the
duration of the deprecation period. This regression appeared in 3.1 as a 
side
effect of fixing `#31426 &lt;https://code.djangoproject.com/ticket/31426&gt;`_.

The issue is not present in the main branch as the deprecated path has been
removed.

Thanks to Joel Saunders for the report.

Affected supported versions
===========================

* Django 3.2
* Django 3.1

Resolution
==========

Patches to resolve the issue have been applied to Django's 3.2 and 3.1
release branches. The patches may be obtained from the
following changesets:

* On the `3.2 release branch 
&lt;https://github.com/django/django/commit/a34a5f724c5d5adb2109374ba3989ebb7b11f81f&gt;`__
* On the `3.1 release branch 
&lt;https://github.com/django/django/commit/0bd57a879a0d54920bb9038a732645fb917040e9&gt;`__

The following releases have been issued:

* Django 3.2.5 (`download Django 3.2.5 
&lt;https://www.djangoproject.com/m/releases/3.2/Django-3.2.5.tar.gz&gt;`_ | 
`3.2.5 checksums 
&lt;https://www.djangoproject.com/m/pgp/Django-3.2.5.checksum.txt&gt;`_)
* Django 3.1.13 (`download Django 3.1.13 
&lt;https://www.djangoproject.com/m/releases/3.1/Django-3.1.13.tar.gz&gt;`_ | 
`3.1.13 checksums 
&lt;https://www.djangoproject.com/m/pgp/Django-3.1.13.checksum.txt&gt;`_)

The PGP key ID used for this release is Mariusz Felisiak: 
`2EF56372BA48CD1B &lt;https://github.com/felixxm.gpg&gt;`_.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies &lt;https://www.djangoproject.com/security/&gt;`_ for further
information.

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Django: CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input Mariusz Felisiak (Jul 01)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->