Opened 5 years ago

Closed 5 years ago

#21056 closed Cleanup/optimization (fixed)

AdminSite app_list may be reverse()'d into an invalid URL endpoint

Reported by: Keryn Knight <django@…> Owned by: Tim Graham <timograham@…>
Component: contrib.admin Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Because of the way the regular expression for the app_index view is set, it allows pretty much anything to be reversed to a valid URL, even if that URL will generate a 404 when visited. This is in contrast to any of the views defined in the ModelAdmin's own get_urls, because they are included by way of the app_label for that ModelAdmin's Model class, and are usually resolved using the named url which is a combination of the app label + model name.

>>> from django.core.urlresolvers import reverse
>>> reverse('admin:index') # this is ok!
>>> reverse('admin:app_list', kwargs={'app_label': 'auth'}) # this is ok!
>>> reverse('admin:app_list', kwargs={'app_label': 'test_anything_is_allowed'}) # chances are this isn't right.

As the registry already maintains a list of ModelAdmins, it would probably be reasonably simple to iterate over those and get all distinct app labels, and compile one regex that ORs them altogether, reducing the ability to accidentally create invalid links.

Change History (7)

comment:1 Changed 5 years ago by DanRJohnson

Owner: changed from nobody to DanRJohnson
Status: newassigned

comment:2 Changed 5 years ago by DanRJohnson

I can confirm this issue. Very straightforward to reproduce this issue.

comment:3 Changed 5 years ago by DanRJohnson

Triage Stage: UnreviewedAccepted

comment:4 Changed 5 years ago by DanRJohnson

Owner: DanRJohnson deleted
Status: assignednew

comment:5 Changed 5 years ago by Keryn Knight <django@…>

As Dan has removed himself, but verified the problem [thanks!], I've whipped up a first pass at fixing it; Pull request is here, tested locally using:

PYTHONPATH=..:$PYTHONPATH python ./ --settings=test_sqlite

Essentially it saves the app labels until it's mounted the various individual modeladmins, and then compiles a regex of the form: ^(?P<app_label>app1|app2|app3|app4)/$ so that only those which are valid are resolvable. It also stops the app index being registered if there aren't any apps mounted, though I cannot imagine a reasonable scenario in which that is the case.

comment:6 Changed 5 years ago by Tim Graham

Has patch: set

comment:7 Changed 5 years ago by Tim Graham <timograham@…>

Owner: set to Tim Graham <timograham@…>
Resolution: fixed
Status: newclosed

In 170f72136758add6c9c0c59240cfce73d5672cc2:

Fixed #21056 -- AdminSite.app_index no longer blindly accepts any app-labelish input.

Note: See TracTickets for help on using tickets.
Back to Top