Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#23601 closed Uncategorized (fixed)

Possible side-imports through admindocs

Reported by: Markus Holtermann Owned by: Markus Holtermann
Component: contrib.admindocs Version: dev
Severity: Normal Keywords: security
Cc: Markus Holtermann Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The ViewDetailView from django.contrib.admindocs allows arbitrary imports via user input. However, due to required permissions to open that page this threat is not that high.

Change History (4)

comment:1 Changed 8 years ago by Markus Holtermann

Has patch: set
Status: newassigned

Pull-request: https://github.com/django/django/pull/3305

comment:2 Changed 8 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 2f16ff5a6cbd71fc6c50e88e4087f3657222e90e:

Fixed #23601 -- Ensured view exists in URLconf before importing it in admindocs.

comment:3 Changed 8 years ago by Tim Graham <timograham@…>

In 51165401be3e9d084c6a3ebb99246e5bb29bb752:

Moved release note for refs #23601 to 1.7.1.

comment:4 Changed 8 years ago by Tim Graham <timograham@…>

In c2508990cb53b52783ebb38dc0b5f0ab5d023c76:

[1.7.x] Fixed #23601 -- Ensured view exists in URLconf before importing it in admindocs.

Backport of 2f16ff5a6c from master

Note: See TracTickets for help on using tickets.
Back to Top