Opened 18 years ago
Closed 17 years ago
#3145 closed defect (invalid)
edit_inline Manipulator processor allows "stealing" of related objects
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Core (Other) | Version: | |
| Severity: | normal | Keywords: | security |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | yes | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This may be the desired behavior, but I'd probably consider it a security bug. I'll let you decide, and if you agree, I'll come up with a patch for it...
Let's say I have a shopping cart system. So I have two models:
class ShoppingCart(models.Model): # ... snip ... class ShoppingCartItem(models.Model): shoppingcart = models.ForeignKey(ShoppingCart, edit_inline=models.STACKED) product = models.ForeignKey(Product, core=True) quantity = models.IntegerField() # ... snip ...
Then I have a view using django.views.generic.create_update.update_object and a template that contains:
<form action="." method="post"> <input type="text" name="shoppingcartitem.0.id" value="3" /> <input type="text" name="shoppingcartitem.0.product" value="3" /> <input type="text" name="shoppingcartitem.0.quantity" value="3" /> <input type="submit" /> </form>
If Alice creates a shopping cart with one item, 3 "Product 3"'s as above, and then Mallory comes in to her own shopping cart (not actually accessing the same ShoppingCart object as Alice but a distinct on of her own) and posts to this view with the values: shoppingcartitem.0.id=3&shoppingcartitem.0.product=3&shoppingcartitem.0.quantity=100, the item will be removed from Alice's cart and placed into Mallory's cart with a quantity of 100.
I would expect that Django would beef about either a) letting Mallory reassign the ForeignKey value for ShoppingCartItem(pk=3) or b) letting Mallory alter the value of ShoppingCartItem's not related to the ShoppingCart object she's viewing. Neither occurs.
Thoughts?
-jag
Change History (4)
comment:1 by , 18 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 17 years ago
| Cc: | added |
|---|---|
| Component: | Core framework → Documentation |
| Keywords: | None added |
| Owner: | changed from to |
| Summary: | edit_inline Manipulator processor allows "stealing" of related objects → Fast exchanger |
| Triage Stage: | Accepted → Ready for checkin |
| Version: | → unicode |
Cool website! Your web site is helpful, All the best!
comment:3 by , 17 years ago
| Cc: | removed |
|---|---|
| Component: | Documentation → Core framework |
| Keywords: | security added; None removed |
| Needs tests: | set |
| Owner: | changed from to |
| Summary: | Fast exchanger → edit_inline Manipulator processor allows "stealing" of related objects |
| Triage Stage: | Ready for checkin → Accepted |
| Version: | unicode |
comment:4 by , 17 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
A foreign key is just a foreign key; it has no inherent "meaning". If the Bar model has a foreign key to Foo, that could mean "User A owns this instance and changing it is a security breach", but it could also mean "User A is working with this instance right now but User B can take it over" or it could "mean" something else entirely. It's up to you -- the developer of your specific application -- to decide what the foreign key "means" and implement the appropriate logic.
seems like a nasty bug to me.