summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSimon Charette <charette.s@gmail.com>2014-08-07 00:18:10 -0400
committerTim Graham <timograham@gmail.com>2014-08-20 14:39:40 -0400
commit53ff0969822ac2248a89ccb6fef1088212dc800d (patch)
tree57564f5a5293329b156592b82e964f7c4929598b /docs
parent5307ce565fbedb9cc27cbe7c757b41a00438d37c (diff)
Prevented data leakage in contrib.admin via query string manipulation.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/exceptions.txt1
-rw-r--r--docs/releases/1.4.14.txt15
-rw-r--r--docs/releases/1.5.9.txt15
-rw-r--r--docs/releases/1.6.6.txt15
4 files changed, 46 insertions, 0 deletions
diff --git a/docs/ref/exceptions.txt b/docs/ref/exceptions.txt
index 3b8b644c76..e74e0991e1 100644
--- a/docs/ref/exceptions.txt
+++ b/docs/ref/exceptions.txt
@@ -56,6 +56,7 @@ SuspiciousOperation
* DisallowedHost
* DisallowedModelAdminLookup
+ * DisallowedModelAdminToField
* DisallowedRedirect
* InvalidSessionKey
* SuspiciousFileOperation
diff --git a/docs/releases/1.4.14.txt b/docs/releases/1.4.14.txt
index 811c3f67ea..98de8b018e 100644
--- a/docs/releases/1.4.14.txt
+++ b/docs/releases/1.4.14.txt
@@ -47,3 +47,18 @@ and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
requests without an intervening logout could result in the prior user's session
being co-opted by the subsequent user. The middleware now logs the user out on
a failed login attempt.
+
+Data leakage via query string manipulation in ``contrib.admin``
+===============================================================
+
+In older versions of Django it was possible to reveal any field's data by
+modifying the "popup" and "to_field" parameters of the query string on an admin
+change form page. For example, requesting a URL like
+``/admin/auth/user/?pop=1&t=password`` and viewing the page's HTML allowed
+viewing the password hash of each user. While the admin requires users to have
+permissions to view the change form pages in the first place, this could leak
+data if you rely on users having access to view only certain fields on a model.
+
+To address the issue, an exception will now be raised if a ``to_field`` value
+that isn't a related field to a model that has been registered with the admin
+is specified.
diff --git a/docs/releases/1.5.9.txt b/docs/releases/1.5.9.txt
index 5070f0eca1..5b91de0eb2 100644
--- a/docs/releases/1.5.9.txt
+++ b/docs/releases/1.5.9.txt
@@ -47,3 +47,18 @@ and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
requests without an intervening logout could result in the prior user's session
being co-opted by the subsequent user. The middleware now logs the user out on
a failed login attempt.
+
+Data leakage via query string manipulation in ``contrib.admin``
+===============================================================
+
+In older versions of Django it was possible to reveal any field's data by
+modifying the "popup" and "to_field" parameters of the query string on an admin
+change form page. For example, requesting a URL like
+``/admin/auth/user/?pop=1&t=password`` and viewing the page's HTML allowed
+viewing the password hash of each user. While the admin requires users to have
+permissions to view the change form pages in the first place, this could leak
+data if you rely on users having access to view only certain fields on a model.
+
+To address the issue, an exception will now be raised if a ``to_field`` value
+that isn't a related field to a model that has been registered with the admin
+is specified.
diff --git a/docs/releases/1.6.6.txt b/docs/releases/1.6.6.txt
index e52ea6b23f..63a1537c97 100644
--- a/docs/releases/1.6.6.txt
+++ b/docs/releases/1.6.6.txt
@@ -48,6 +48,21 @@ requests without an intervening logout could result in the prior user's session
being co-opted by the subsequent user. The middleware now logs the user out on
a failed login attempt.
+Data leakage via query string manipulation in ``contrib.admin``
+===============================================================
+
+In older versions of Django it was possible to reveal any field's data by
+modifying the "popup" and "to_field" parameters of the query string on an admin
+change form page. For example, requesting a URL like
+``/admin/auth/user/?_popup=1&t=password`` and viewing the page's HTML allowed
+viewing the password hash of each user. While the admin requires users to have
+permissions to view the change form pages in the first place, this could leak
+data if you rely on users having access to view only certain fields on a model.
+
+To address the issue, an exception will now be raised if a ``to_field`` value
+that isn't a related field to a model that has been registered with the admin
+is specified.
+
Bugfixes
========