Changes between Initial Version and Version 1 of Ticket #30064, comment 3
- Timestamp:
- Jan 22, 2019, 4:19:04 PM (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #30064, comment 3
initial v1 1 1 I think this should be fixed at the admin layer just like #28201 was fixed at the form later; scanning each query string parameters for `'\x00'` as suggested in [https://github.com/django/django/pull/10884 this PR] will affect performance and is overkill IMO. 2 2 3 In my opinion the issue is that the admin is relying on unsanitized`request.GET` passing to the ORM, that looks like the same class of issues as `Model.objects.get(int_field='foo')`. The admin should use a form to sanitize the input to rely on #28201 cleansing mechanism.3 In my opinion the issue is that the [https://github.com/django/django/blob/d02b2aa11e5b6c351a9a2c0673c23569889f90d6/django/contrib/admin/views/main.py#L80 admin is relying on unsanitized] `request.GET` passing to the ORM, that looks like the same class of issues as `Model.objects.get(int_field='foo')`. The admin should use a form to sanitize the input to rely on #28201 cleansing mechanism.