id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
5023	Tighten security around generic views	Chui Tey	nobody	"Forms with edit_inline fields include the PK in hidden inputs.
However, this should not be trusted. 
If PK was specified and no related object was retrieved, then reset the PK to NULL. A new row will be created instead of modifying an existing row.

You should be able to test this by adding a hidden input to the top of mymodel_form.html to an unpatched system. This will result in a child row being hijacked from another parent.

{{{
Index: db/models/manipulators.py
===================================================================
--- db/models/manipulators.py   (revision 5773)
+++ db/models/manipulators.py   (working copy)
@@ -168,7 +168,10 @@
                             try:
                                 old_rel_obj = getattr(self.original_object, related.get_accessor_name()).get(**{'%s__exact' % related.opts.pk.name: rel_new_data[related.opts.pk.attname][0]})
                             except ObjectDoesNotExist:
-                                pass
+                                # Security: PK should not be trusted as it comes from the web.
+                                #   if PK is in the POSTed data, and an object was not fetched from the database
+                                #   then reset it's PK to NULL
+                                rel_new_data[related.opts.pk.name][0] = u''

                     for f in related.opts.fields:
                         if f.core and not isinstance(f, FileField) and f.get_manipulator_new_data(rel_new_data, rel=True) in (None, ''):
}}}
"		closed	Generic views	dev		wontfix		ivanov.maxim@…	Design decision needed	1	0	0	0	0	0