Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#23601 closed Uncategorized (fixed)

Possible side-imports through admindocs

Reported by: Markus Holtermann Owned by: Markus Holtermann
Component: contrib.admindocs Version: dev
Severity: Normal Keywords: security
Cc: Markus Holtermann Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no
Pull Requests:3305 unmerged

Description

The ViewDetailView from django.contrib.admindocs allows arbitrary imports via user input. However, due to required permissions to open that page this threat is not that high.

Change History (4)

comment:1 by Markus Holtermann, 10 years ago

Has patch: set
Status: newassigned

comment:2 by Tim Graham <timograham@…>, 10 years ago

Resolution: fixed
Status: assignedclosed

In 2f16ff5a6cbd71fc6c50e88e4087f3657222e90e:

Fixed #23601 -- Ensured view exists in URLconf before importing it in admindocs.

comment:3 by Tim Graham <timograham@…>, 10 years ago

In 51165401be3e9d084c6a3ebb99246e5bb29bb752:

Moved release note for refs #23601 to 1.7.1.

comment:4 by Tim Graham <timograham@…>, 10 years ago

In c2508990cb53b52783ebb38dc0b5f0ab5d023c76:

[1.7.x] Fixed #23601 -- Ensured view exists in URLconf before importing it in admindocs.

Backport of 2f16ff5a6c from master

Note: See TracTickets for help on using tickets.
Back to Top