Re: [Sqlalchemy-tickets] [sqlalchemy] #2951: Confusing Query.get() behaviour. Possible insufficient

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

#2951: Confusing Query.get() behaviour. Possible insufficient criterion checking.
------------------------------+-----------------------------------
      Reporter:  enomad       |      Owner:  zzzeek
          Type:  defect       |     Status:  new
      Priority:  high         |  Milestone:  0.8.xx
     Component:  orm          |   Severity:  trivial - <10 minutes
    Resolution:               |   Keywords:  Query get criterion
Progress State:  in progress  |
------------------------------+-----------------------------------
Changes (by zzzeek):

 * priority:  medium => high
 * status_field:  awaiting triage => in progress
 * component:  cextensions => orm
 * severity:  no triage selected yet => trivial - <10 minutes
 * milestone:   => 0.8.xx

Comment:

 please explain fully why you think this bug is a security breach.  No
 illegal value is being injected here, the filter() criterion is being
 ignored and you're getting id #2, just as you would if the filter()
 criterion hadn't been used.   It is of course a bug.

--
Ticket URL: <http://www.sqlalchemy.org/trac/ticket/2951#comment:1>
sqlalchemy <http://www.sqlalchemy.org/>
The Database Toolkit for Python

Re: [Sqlalchemy-tickets] [sqlalchemy] #2951: Confusing Query.get() behaviour. Possible insufficient

Re: [Sqlalchemy-tickets] [sqlalchemy] #2951: Confusing Query.get() behaviour. Possible insufficient criterion checking.