Changes between Initial Version and Version 1 of Ticket #30064, comment 3


Ignore:
Timestamp:
01/22/2019 04:19:04 PM (11 months ago)
Author:
Simon Charette
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #30064, comment 3

    initial v1  
    11I think this should be fixed at the admin layer just like #28201 was fixed at the form later; scanning each query string parameters for `'\x00'` as suggested in [https://github.com/django/django/pull/10884 this PR] will affect performance and is overkill IMO.
    22
    3 In my opinion the issue is that the admin is relying on unsanitized `request.GET` passing to the ORM, that looks like the same class of issues as `Model.objects.get(int_field='foo')`. The admin should use a form to sanitize the input to rely on #28201 cleansing mechanism.
     3In my opinion the issue is that the [https://github.com/django/django/blob/d02b2aa11e5b6c351a9a2c0673c23569889f90d6/django/contrib/admin/views/main.py#L80 admin is relying on unsanitized] `request.GET` passing to the ORM, that looks like the same class of issues as `Model.objects.get(int_field='foo')`. The admin should use a form to sanitize the input to rely on #28201 cleansing mechanism.
Back to Top