Django

Code

Ticket #3145 (closed: invalid)

Opened 2 years ago

Last modified 1 year ago

edit_inline Manipulator processor allows "stealing" of related objects

Reported by: jag@fsf.org Assigned to: nobody
Milestone: Component: Core framework
Version: Keywords: security
Cc: Triage Stage: Accepted
Has patch: 0 Needs documentation: 0
Needs tests: 1 Patch needs improvement: 0

Description

This may be the desired behavior, but I'd probably consider it a security bug. I'll let you decide, and if you agree, I'll come up with a patch for it...

Let's say I have a shopping cart system. So I have two models: 

 class ShoppingCart(models.Model):
   # ... snip ...
 
 class ShoppingCartItem(models.Model):
   shoppingcart = models.ForeignKey(ShoppingCart, edit_inline=models.STACKED)
   product = models.ForeignKey(Product, core=True)
   quantity = models.IntegerField()
   # ... snip ...

Then I have a view using django.views.generic.create_update.update_object and a template that contains: 

 
 <form action="." method="post">
  <input type="text" name="shoppingcartitem.0.id" value="3" />
  <input type="text" name="shoppingcartitem.0.product" value="3" />
  <input type="text" name="shoppingcartitem.0.quantity" value="3" />
  <input type="submit" />
 </form>

If Alice creates a shopping cart with one item, 3 "Product 3"'s as above, and then Mallory comes in to her own shopping cart (not actually accessing the same ShoppingCart object as Alice but a distinct on of her own) and posts to this view with the values: shoppingcartitem.0.id=3&shoppingcartitem.0.product=3&shoppingcartitem.0.quantity=100, the item will be removed from Alice's cart and placed into Mallory's cart with a quantity of 100.

I would expect that Django would beef about either a) letting Mallory reassign the ForeignKey value for ShoppingCartItem(pk=3) or b) letting Mallory alter the value of ShoppingCartItem's not related to the ShoppingCart object she's viewing. Neither occurs.

Thoughts?

-jag

Attachments

Change History

02/18/07 00:08:01 changed by Gary Wilson <gary.wilson@gmail.com>

  • stage changed from Unreviewed to Accepted.

seems like a nasty bug to me.

06/28/07 23:56:51 changed by Fast exchanger

  • cc set to None.
  • component changed from Core framework to Documentation.
  • summary changed from edit_inline Manipulator processor allows "stealing" of related objects to Fast exchanger.
  • owner changed from adrian to jacob.
  • version set to unicode.
  • keywords set to None.
  • stage changed from Accepted to Ready for checkin.

Cool website! Your web site is helpful, All the best!

06/29/07 00:28:30 changed by SmileyChris

  • cc deleted.
  • component changed from Documentation to Core framework.
  • needs_tests set to 1.
  • summary changed from Fast exchanger to edit_inline Manipulator processor allows "stealing" of related objects.
  • owner changed from jacob to adrian.
  • version deleted.
  • keywords changed from None to security.
  • stage changed from Ready for checkin to Accepted.

09/16/07 10:37:41 changed by ubernostrum

  • status changed from new to closed.
  • resolution set to invalid.

A foreign key is just a foreign key; it has no inherent "meaning". If the Bar model has a foreign key to Foo, that could mean "User A owns this instance and changing it is a security breach", but it could also mean "User A is working with this instance right now but User B can take it over" or it could "mean" something else entirely. It's up to you -- the developer of your specific application -- to decide what the foreign key "means" and implement the appropriate logic.

Add/Change #3145 (edit_inline Manipulator processor allows "stealing" of related objects)




Change Properties
Action