From d5a49ce7e2cc625545bb0ed3f26908e003ee86a7 Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Wed, 16 Oct 2024 09:01:32 +0200
Subject: [PATCH] properly escape quotes in passwords by calling to_python

database passwords can contain special characters, especially " and '
so we can't just print the value of the field enclosed by single quotes
as that would break whenever the user uses a literal ' in their password
---
 templates/settings.py.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/settings.py.erb b/templates/settings.py.erb
index d33425a..0d69816 100644
--- a/templates/settings.py.erb
+++ b/templates/settings.py.erb
@@ -24,7 +24,7 @@ DATABASES = {
         'ENGINE': 'django.db.backends.postgresql',
         'NAME': '<%= scope['pulpcore::postgresql_db_name'] %>',
         'USER': '<%= scope['pulpcore::postgresql_db_user'] %>',
-        'PASSWORD': '<%= scope['pulpcore::postgresql_db_password'] %>',
+        'PASSWORD': <%= scope.call_function('to_python', [scope['pulpcore::postgresql_db_password']]) %>,
         'HOST': '<%= scope['pulpcore::postgresql_db_host'] %>',
         'PORT': '<%= scope['pulpcore::postgresql_db_port'] %>',
 <% if scope['pulpcore::postgresql_db_ssl'] && !scope['pulpcore::postgresql_manage_db'] -%>