Django SQL×¢ÈëÎó²îΣº¦Í¨¸æ

Ðû²¼Ê±¼ä 2020-02-13

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2020-7471£¬£¬£¬£¬Î£ÏÕ¼¶±ð£ºÑÏÖØ£¬£¬£¬£¬CVSS·ÖÖµ£º9.8


Ó°Ïì°æ±¾


Django 1.11.x < 1.11.28

Django 2.2.x < 2.2.10

Django 3.0.x < 3.0.3

Django Ö÷¿ª·¢·ÖÖ§


Îó²î¸ÅÊö


DjangoÊÇDjango»ù½ð»áµÄÒ»Ì×»ùÓÚPythonÓïÑԵĿªÔ´WebÓ¦Óÿò¼Ü¡£¡£¡£¸Ã¿ò¼Ü°üÀ¨ÃæÏò¹¤¾ßµÄÓ³ÉäÆ÷¡¢ÊÓͼϵͳ¡¢Ä£°åϵͳµÈ¡£¡£¡£


¿ËÈÕ£¬£¬£¬£¬Django¹Ù·½Ðû²¼Ç徲ͨ¸æÐû²¼ÁËÒ»¸öͨ¹ýStringAgg£¨ÍÑÀë·û£©ÊµÏÖʹÓõÄDZÔÚSQL×¢ÈëÎó²î¡£¡£¡£¹¥»÷Õß¿Éͨ¹ý½á¹¹ÍÑÀë·ûת´ï¸ø¾ÛºÏº¯Êýcontrib.postgres.aggregates.StringAgg£¬£¬£¬£¬´Ó¶øÈƹýתÒå²¢×¢Èë¶ñÒâSQLÓï¾ä¡£¡£¡£


Ïà¹ØÓû§¿Éͨ¹ý°æ±¾¼ì²âµÄÒªÁìÅжÏÄ¿½ñÓ¦ÓÃÊÇ·ñ±£´æÎ£º¦¡£¡£¡£ÔÚÏÂÁîÐÐÊäÈë python¡£¡£¡£È»ºóÔÚ Python ÌáÐÑ·ûÏÂÊäÈëÏÂÁÐÏÂÁ£¬£¬£¬¿ÉÉó²éÄ¿½ñDjango°æ±¾ÐÅÏ¢¡£¡£¡£ÈôDjango°æ±¾ÔÚÊÜÓ°Ïì¹æÄ£ÄÚ£¬£¬£¬£¬ÇÒʹÓõÄÊý¾Ý¿âΪPostgreSQL£¬£¬£¬£¬Ôò±£´æ´ËÎó²îµÄÇ徲Σº¦¡£¡£¡£


>>> import django

>>> django.get_version()


»òÕߣ¬£¬£¬£¬´ËÎó²îÊÇÓÉÓھۺϺ¯ÊýStringAggµ¼Ö£¬£¬£¬£¬ÈôDjango°æ±¾ÔÚÊÜÓ°Ïì¹æÄ£ÄÚ£¬£¬£¬£¬ÇÒʹÓÃÁ˸þۺϺ¯Êý£¬£¬£¬£¬Ôò¿ÉÄܱ£´æÇ徲Σº¦¡£¡£¡£¿ £¿£¿£¿£¿£¿£¿ª·¢Ö°Ô±¿É×ÔÐÐÅŲéÊÇ·ñʹÓÃÁËÏÂÁк¯Êý¡£¡£¡£StringAggº¯Êý£¬£¬£¬£¬ÊÇPostgreSQLÊý¾Ý¿âÖн«±í´ïʽÄð³É×Ö·û´®µÄ¾ÛºÏº¯Êý£¬£¬£¬£¬¿ÉʵÏÖ¶àÐÐÆ´½Ó£¬£¬£¬£¬Ó¦ÓÃÆÕ±é¡£¡£¡£


django.contrib.postgres.aggregates.StringAgg¡£¡£¡£


Îó²îÑéÖ¤


ÔÝÎÞPOC/EXP¡£¡£¡£


ÐÞ¸´½¨Òé


Django ¹Ù·½ÒѾ­Ðû²¼Ð°汾ÐÞ¸´ÁËÉÏÊöÎó²î£¬£¬£¬£¬ÇëÊÜÓ°ÏìµÄÓû§¾¡¿ìÉý¼¶¾ÙÐзÀ»¤¡£¡£¡£


Django 1.11.28ÏÂÔØµØµã£ºhttps://www.djangoproject.com/m/releases/1.11/Django-1.11.28.tar.gz

Django 2.2.10 ÏÂÔØµØµã£ºhttps://www.djangoproject.com/m/releases/2.2/Django-2.2.10.tar.gz

Django 3.0.3ÏÂÔØµØµã£ºhttps://www.djangoproject.com/m/releases/3.0/Django-3.0.3.tar.gz


ÈôʹÓà pip ×°Öà Django£¬£¬£¬£¬¿Éͨ¹ý --upgrade »ò -U À´ÊµÏִ˲Ù×÷£º


$ pip install -U Django


°æ±¾¸üвÙ×÷¿É²Î¿¼ÏÂÁÐÁ´½Ó£º


https://docs.djangoproject.com/zh-hans/2.2/howto/upgrade-version


²Î¿¼Á´½Ó


https://www.djangoproject.com/weblog/2020/feb/03/security-releases