티스토리 수익 글 보기

티스토리 수익 글 보기

Fix a security issue in the admin. Disclosure and new release forthco… · django/django@85207a2 · GitHub
Skip to content

Commit 85207a2

Browse files
alexalex
committed
Fix a security issue in the admin. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15033 bcc190cf-cafb-0310-a4f2-bffc1f526a37
1 parent 47fe010 commit 85207a2

File tree

4 files changed

+44
4
lines changed

4 files changed

+44
4
lines changed

django/contrib/admin/options.py

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,9 @@
1010
from django.views.decorators.csrf import csrf_protect
1111
from django.core.exceptions import PermissionDenied, ValidationError
1212
from django.db import models, transaction
13-
from django.db.models.fields import BLANK_CHOICE_DASH
13+
from django.db.models.related import RelatedObject
14+
from django.db.models.fields import BLANK_CHOICE_DASH, FieldDoesNotExist
15+
from django.db.models.sql.constants import LOOKUP_SEP, QUERY_TERMS
1416
from django.http import Http404, HttpResponse, HttpResponseRedirect
1517
from django.shortcuts import get_object_or_404, render_to_response
1618
from django.utils.decorators import method_decorator
@@ -183,6 +185,30 @@ def _declared_fieldsets(self):
183185
def get_readonly_fields(self, request, obj=None):
184186
return self.readonly_fields
185187

188+
def lookup_allowed(self, lookup):
189+
parts = lookup.split(LOOKUP_SEP)
190+
191+
# Last term in lookup is a query term (__exact, __startswith etc)
192+
# This term can be ignored.
193+
if len(parts) > 1 and parts[-1] in QUERY_TERMS:
194+
parts.pop()
195+
196+
# Special case -- foo__id__exact and foo__id queries are implied
197+
# if foo has been specificially included in the lookup list; so
198+
# drop __id if it is the last part.
199+
if len(parts) > 1 and parts[-1] == self.model._meta.pk.name:
200+
parts.pop()
201+
202+
try:
203+
self.model._meta.get_field_by_name(parts[0])
204+
except FieldDoesNotExist:
205+
# Lookups on non-existants fields are ok, since they're ignored
206+
# later.
207+
return True
208+
else:
209+
clean_lookup = LOOKUP_SEP.join(parts)
210+
return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy
211+
186212
class ModelAdmin(BaseModelAdmin):
187213
"Encapsulates all admin options and functionality for a given model."
188214

django/contrib/admin/views/main.py

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
from django.contrib.admin.filterspecs import FilterSpec
22
from django.contrib.admin.options import IncorrectLookupParameters
33
from django.contrib.admin.util import quote
4+
from django.core.exceptions import SuspiciousOperation
45
from django.core.paginator import Paginator, InvalidPage
56
from django.db import models
67
from django.db.models.query import QuerySet
@@ -187,13 +188,18 @@ def get_query_set(self):
187188
else:
188189
lookup_params[key] = True
189190

191+
if not self.model_admin.lookup_allowed(key):
192+
raise SuspiciousOperation(
193+
"Filtering by %s not allowed" % key
194+
)
195+
190196
# Apply lookup parameters from the query string.
191197
try:
192198
qs = qs.filter(**lookup_params)
193199
# Naked except! Because we don't have any other way of validating "params".
194200
# They might be invalid if the keyword arguments are incorrect, or if the
195201
# values are not in the correct type, so we might get FieldError, ValueError,
196-
# ValicationError, or ? from a custom field that raises yet something else
202+
# ValicationError, or ? from a custom field that raises yet something else
197203
# when handed impossible data.
198204
except:
199205
raise IncorrectLookupParameters

tests/regressiontests/admin_views/models.py

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ class ChapterInline(admin.TabularInline):
9292

9393
class ArticleAdmin(admin.ModelAdmin):
9494
list_display = ('content', 'date', callable_year, 'model_year', 'modeladmin_year')
95-
list_filter = ('date',)
95+
list_filter = ('date', 'section')
9696

9797
def changelist_view(self, request):
9898
"Test that extra_context works"
@@ -584,6 +584,9 @@ class Album(models.Model):
584584
owner = models.ForeignKey(User)
585585
title = models.CharField(max_length=30)
586586

587+
class AlbumAdmin(admin.ModelAdmin):
588+
list_filter = ['title']
589+
587590
admin.site.register(Article, ArticleAdmin)
588591
admin.site.register(CustomArticle, CustomArticleAdmin)
589592
admin.site.register(Section, save_as=True, inlines=[ArticleInline])
@@ -630,4 +633,4 @@ class Album(models.Model):
630633
admin.site.register(ChapterXtra1)
631634
admin.site.register(Pizza, PizzaAdmin)
632635
admin.site.register(Topping)
633-
admin.site.register(Album)
636+
admin.site.register(Album, AlbumAdmin)

tests/regressiontests/admin_views/tests.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
import datetime
55

66
from django.conf import settings
7+
from django.core.exceptions import SuspiciousOperation
78
from django.core.files import temp as tempfile
89
# Register auth models with the admin.
910
from django.contrib.auth import REDIRECT_FIELD_NAME, admin
@@ -300,6 +301,10 @@ def testI18NLanguageNonEnglishFallback(self):
300301
self.assertContains(response, 'Choisir une heure')
301302
deactivate()
302303

304+
def test_disallowed_filtering(self):
305+
self.assertRaises(SuspiciousOperation,
306+
self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
307+
)
303308

304309
class SaveAsTests(TestCase):
305310
fixtures = ['admin-views-users.xml','admin-views-person.xml']

0 commit comments

Comments
 (0)