id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34831	Search in admin could allow issuing a query with many OR'd clauses	Natalia Bidart	Yves Weissig	"As a logged in user, when performing searches in the django admin, a request with a lot of terms separated by spaces could cause the server to slow down because each term is OR'd, potentially building a bad query.

The root cause of this issue is a `for` loop in  `/django/contrib/admin/options.py`:

{{{#!python
    if search_fields and search_term:
            orm_lookups = [construct_search(str(search_field))
                          for search_field in search_fields]
            for bit in smart_split(search_term):
                if bit.startswith(('""', ""'"")):
                    bit = unescape_string_literal(bit)
                or_queries = [models.Q(**{orm_lookup: bit})
                              for orm_lookup in orm_lookups]
                queryset = queryset.filter(reduce(operator.or_, or_queries))
            use_distinct |= any(lookup_needs_distinct(self.opts, search_spec) for search_spec in orm_lookups)
}}}

The value of the string `search_term` comes from the frontend input search field and is then split with spaces using the `smart_split`.

Thanks Wenchao Li of Alibaba Group for the report."	Cleanup/optimization	assigned	contrib.admin	dev	Normal				Accepted	0	0	0	0	0	0