test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #14999 -- Ensure that filters on local fields are allowed, and aren't caught as a security problem. Thanks to medhat for the report. 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15139 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee 2011-01-03 13:56:31 +00:00
parent d41bd3f7f2
commit 6bd8c14be9
3 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/contrib/admin/options.py
View File

@ -239,6 +239,8 @@ class BaseModelAdmin(object):
# later. # later.
return True return True
else: else:
if len(parts) == 1:
return True
clean_lookup = LOOKUP_SEP.join(parts) clean_lookup = LOOKUP_SEP.join(parts)
return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy

3
tests/regressiontests/admin_views/models.py
View File

@ -176,7 +176,7 @@ class Thing(models.Model):
return self.title return self.title
class ThingAdmin(admin.ModelAdmin): class ThingAdmin(admin.ModelAdmin):
list_filter = ('color', 'color__warm', 'color__value') list_filter = ('color__warm', 'color__value')
class Fabric(models.Model): class Fabric(models.Model):
NG_CHOICES = ( NG_CHOICES = (
@ -200,6 +200,7 @@ class Person(models.Model):
) )
name = models.CharField(max_length=100) name = models.CharField(max_length=100)
gender = models.IntegerField(choices=GENDER_CHOICES) gender = models.IntegerField(choices=GENDER_CHOICES)
age = models.IntegerField(default=21)
alive = models.BooleanField() alive = models.BooleanField()
def __unicode__(self): def __unicode__(self):

10
tests/regressiontests/admin_views/tests.py
View File

@ -372,10 +372,16 @@ class AdminViewBasicTest(TestCase):
) )
try: try:
self.client.get("/test_admin/admin/admin_views/stuff/?color__value__startswith=red") self.client.get("/test_admin/admin/admin_views/thing/?color__value__startswith=red")
self.client.get("/test_admin/admin/admin_views/thing/?color__value=red")
except SuspiciousOperation: except SuspiciousOperation:
self.fail("Filters are allowed if explicitly included in list_filter") self.fail("Filters are allowed if explicitly included in list_filter")
try:
self.client.get("/test_admin/admin/admin_views/person/?age__gt=30")
except SuspiciousOperation:
self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
class SaveAsTests(TestCase): class SaveAsTests(TestCase):
fixtures = ['admin-views-users.xml','admin-views-person.xml'] fixtures = ['admin-views-users.xml','admin-views-person.xml']
@ -387,7 +393,7 @@ class SaveAsTests(TestCase):
def test_save_as_duplication(self): def test_save_as_duplication(self):
"""Ensure save as actually creates a new person""" """Ensure save as actually creates a new person"""
post_data = {'_saveasnew':'', 'name':'John M', 'gender':1} post_data = {'_saveasnew':'', 'name':'John M', 'gender':1, 'age': 42}
response = self.client.post('/test_admin/admin/admin_views/person/1/', post_data) response = self.client.post('/test_admin/admin/admin_views/person/1/', post_data)
self.assertEqual(len(Person.objects.filter(name='John M')), 1) self.assertEqual(len(Person.objects.filter(name='John M')), 1)
self.assertEqual(len(Person.objects.filter(id=1)), 1) self.assertEqual(len(Person.objects.filter(id=1)), 1)