Opened 13 years ago

Closed 13 years ago

Last modified 12 years ago

#14999 closed (fixed)

Valid lookups are rejected after r15031

Reported by: medhat Owned by: nobody
Component: contrib.admin Version: 1.3-beta
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The description of the fix for the recently found security issue in the admin interface states the following: "To remedy this, django.contrib.admin will now validate that querystring lookup arguments either specify only fields on the model being viewed, or cross relations which have been explicitly whitelisted by the application developer using the pre-existing mechanism mentioned above."

To me this means that a querystring lookup argument for a field that is on the model does not need to be whitelisted. But it does not seem to be working this way, it seems that *any* field in the querystring lookup arguments need to be whitelisted, this else will apply to all fields, not just cross relations.

I use this querystring building trick to filter on a FloatField, to filter either by field__lt=0 or field__gt=0. Adding that field to list_filters just lists all the values this field has which is not very useful.

Attachments (1)

14999-trunk.diff (3.3 KB ) - added by Ramiro Morales 13 years ago.
Tentative fix for this issue.

Download all attachments as: .zip

Change History (8)

comment:1 by medhat, 13 years ago

Summary: Valid lookups are regected after r15031Valid lookups are rejected after r15031

comment:2 by Russell Keith-Magee, 13 years ago

Triage Stage: UnreviewedAccepted

This appears to be an oversight in the security patch. This is a 1.3 blocker.

by Ramiro Morales, 13 years ago

Attachment: 14999-trunk.diff added

Tentative fix for this issue.

comment:3 by Ramiro Morales, 13 years ago

Has patch: set

comment:4 by Russell Keith-Magee, 13 years ago

Resolution: fixed
Status: newclosed

(In [15139]) Fixed #14999 -- Ensure that filters on local fields are allowed, and aren't caught as a security problem. Thanks to medhat for the report.

comment:5 by Russell Keith-Magee, 13 years ago

(In [15140]) [1.2.X] Fixed #14999 -- Ensure that filters on local fields are allowed, and aren't caught as a security problem. Thanks to medhat for the report.

Backport of r15139 from trunk.

comment:6 by Ramiro Morales, 13 years ago

(In [15176]) [1.1.X] Fixed #14999 -- Ensure that filters on local fields are allowed, and aren't caught as a security problem. Thanks to medhat for the report.

Backport of r15139 from trunk.

comment:7 by Jacob, 12 years ago

milestone: 1.3

Milestone 1.3 deleted

Note: See TracTickets for help on using tickets.
Back to Top