mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-28 16:16:12 +00:00
Code Issues 32 Releases Wiki Activity

[1.5.x] Prevented data leakage in contrib.admin via query string manipulation.

Browse Source 
This is a security fix. Disclosure following shortly.
This commit is contained in:
Simon Charette
2014-08-11 15:36:16 -04:00
committed by Tim Graham
parent dd68f319b3
commit 2a446c896e
6 changed files with 76 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
tests/regressiontests/admin_views/tests.py
View File

@@ -16,11 +16,12 @@ from django.core.files import temp as tempfile
from django.core.urlresolvers import reverse
# Register auth models with the admin.
from django.contrib import admin
from django.contrib.admin.exceptions import DisallowedModelAdminToField
from django.contrib.admin.helpers import ACTION_CHECKBOX_NAME
from django.contrib.admin.models import LogEntry, DELETION
from django.contrib.admin.sites import LOGIN_FORM_KEY
from django.contrib.admin.util import quote
from django.contrib.admin.views.main import IS_POPUP_VAR
from django.contrib.admin.views.main import IS_POPUP_VAR, TO_FIELD_VAR
from django.contrib.admin.tests import AdminSeleniumWebDriverTestCase
from django.contrib.auth import REDIRECT_FIELD_NAME
from django.contrib.auth.models import Group, User, Permission, UNUSABLE_PASSWORD
@@ -557,6 +558,19 @@ class AdminViewBasicTest(TestCase):
response = self.client.get("/test_admin/admin/admin_views/workhour/?employee__person_ptr__exact=%d" % e1.pk)
self.assertEqual(response.status_code, 200)
def test_disallowed_to_field(self):
with self.assertRaises(DisallowedModelAdminToField):
response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'missing_field'})
# Specifying a field that is not refered by any other model registered
# to this admin site should raise an exception.
with self.assertRaises(DisallowedModelAdminToField):
response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'name'})
# Specifying a field referenced by another model should be allowed.
response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'id'})
self.assertEqual(response.status_code, 200)
def test_allowed_filtering_15103(self):
"""
Regressions test for ticket 15103 - filtering on fields defined in a
@@ -2138,10 +2152,9 @@ class AdminSearchTest(TestCase):
"""Ensure that the to_field GET parameter is preserved when a search
is performed. Refs #10918.
"""
from django.contrib.admin.views.main import TO_FIELD_VAR
response = self.client.get('/test_admin/admin/auth/user/?q=joe&%s=username' % TO_FIELD_VAR)
response = self.client.get('/test_admin/admin/auth/user/?q=joe&%s=id' % TO_FIELD_VAR)
self.assertContains(response, "\n1 user\n")
self.assertContains(response, '<input type="hidden" name="t" value="username"/>', html=True)
self.assertContains(response, '<input type="hidden" name="%s" value="id"/>' % TO_FIELD_VAR, html=True)
def test_exact_matches(self):
response = self.client.get('/test_admin/admin/admin_views/recommendation/?q=bar')