Fix a security issue in the admin. Disclosure and new release forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15031 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-11-07 07:15:35 +00:00 · 2010-12-23 03:44:38 +00:00
parent 5ed6e7a4d5
commit 732198ed5c
4 changed files with 62 additions and 4 deletions
--- a/tests/regressiontests/admin_views/models.py
+++ b/tests/regressiontests/admin_views/models.py
@@ -100,7 +100,7 @@ class ChapterXtra1Admin(admin.ModelAdmin):

 class ArticleAdmin(admin.ModelAdmin):
    list_display = ('content', 'date', callable_year, 'model_year', 'modeladmin_year')
-    list_filter = ('date',)
+    list_filter = ('date', 'section')

    def changelist_view(self, request):
        "Test that extra_context works"
@@ -611,6 +611,9 @@ class Album(models.Model):
    owner = models.ForeignKey(User)
    title = models.CharField(max_length=30)

+class AlbumAdmin(admin.ModelAdmin):
+    list_filter = ['title']
+
 admin.site.register(Article, ArticleAdmin)
 admin.site.register(CustomArticle, CustomArticleAdmin)
 admin.site.register(Section, save_as=True, inlines=[ArticleInline])
@@ -657,4 +660,4 @@ admin.site.register(Promo)
 admin.site.register(ChapterXtra1, ChapterXtra1Admin)
 admin.site.register(Pizza, PizzaAdmin)
 admin.site.register(Topping)
-admin.site.register(Album)
+admin.site.register(Album, AlbumAdmin)
--- a/tests/regressiontests/admin_views/tests.py
+++ b/tests/regressiontests/admin_views/tests.py
@@ -5,6 +5,7 @@ import datetime

 from django.conf import settings
 from django.core import mail
+from django.core.exceptions import SuspiciousOperation
 from django.core.files import temp as tempfile
 from django.core.urlresolvers import reverse
 # Register auth models with the admin.
@@ -348,6 +349,15 @@ class AdminViewBasicTest(TestCase):
        self.assertContains(response, 'Choisir une heure')
        deactivate()

+    def test_disallowed_filtering(self):
+        self.assertRaises(SuspiciousOperation,
+            self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
+        )
+
+        try:
+            self.client.get("/test_admin/admin/admin_views/stuff/?color__value__startswith=red")
+        except SuspiciousOperation:
+            self.fail("Filters are allowed if explicitly included in list_filter")

 class SaveAsTests(TestCase):
    fixtures = ['admin-views-users.xml','admin-views-person.xml']