mirror of https://github.com/django/django.git
63 lines
2.9 KiB
Plaintext
63 lines
2.9 KiB
Plaintext
==========================
|
|
Django 2.2.8 release notes
|
|
==========================
|
|
|
|
*December 2, 2019*
|
|
|
|
Django 2.2.8 fixes a security issue, several bugs in 2.2.7, and adds
|
|
compatibility with Python 3.8.
|
|
|
|
CVE-2019-19118: Privilege escalation in the Django admin.
|
|
=========================================================
|
|
|
|
Since Django 2.1, a Django model admin displaying a parent model with related
|
|
model inlines, where the user has view-only permissions to a parent model but
|
|
edit permissions to the inline model, would display a read-only view of the
|
|
parent model but editable forms for the inline.
|
|
|
|
Submitting these forms would not allow direct edits to the parent model, but
|
|
would trigger the parent model's ``save()`` method, and cause pre and post-save
|
|
signal handlers to be invoked. This is a privilege escalation as a user who
|
|
lacks permission to edit a model should not be able to trigger its save-related
|
|
signals.
|
|
|
|
To resolve this issue, the permission handling code of the Django admin
|
|
interface has been changed. Now, if a user has only the "view" permission for a
|
|
parent model, the entire displayed form will not be editable, even if the user
|
|
has permission to edit models included in inlines.
|
|
|
|
This is a backwards-incompatible change, and the Django security team is aware
|
|
that some users of Django were depending on the ability to allow editing of
|
|
inlines in the admin form of an otherwise view-only parent model.
|
|
|
|
Given the complexity of the Django admin, and in-particular the permissions
|
|
related checks, it is the view of the Django security team that this change was
|
|
necessary: that it is not currently feasible to maintain the existing behavior
|
|
while escaping the potential privilege escalation in a way that would avoid a
|
|
recurrence of similar issues in the future, and that would be compatible with
|
|
Django's *safe by default* philosophy.
|
|
|
|
For the time being, developers whose applications are affected by this change
|
|
should replace the use of inlines in read-only parents with custom forms and
|
|
views that explicitly implement the desired functionality. In the longer term,
|
|
adding a documented, supported, and properly-tested mechanism for
|
|
partially-editable multi-model forms to the admin interface may occur in Django
|
|
itself.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a data loss possibility in the admin changelist view when a custom
|
|
:ref:`formset's prefix <formset-prefix>` contains regular expression special
|
|
characters, e.g. ``'$'`` (:ticket:`31031`).
|
|
|
|
* Fixed a regression in Django 2.2.1 that caused a crash when migrating
|
|
permissions for proxy models with a multiple database setup if the
|
|
``default`` entry was empty (:ticket:`31021`).
|
|
|
|
* Fixed a data loss possibility in the
|
|
:meth:`~django.db.models.query.QuerySet.select_for_update()`. When using
|
|
``'self'`` in the ``of`` argument with :ref:`multi-table inheritance
|
|
<multi-table-inheritance>`, a parent model was locked instead of the
|
|
queryset's model (:ticket:`30953`).
|