diff options
| author | Simon Charette <charette.s@gmail.com> | 2014-08-07 00:18:10 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-20 11:43:43 -0400 |
| commit | f7c494f2506250b8cb5923714360a3642ed63e0f (patch) | |
| tree | e2171d483c03a3153c57c665ef04cacd874a80f6 /docs | |
| parent | 0268b855f9eab3377f2821164ef3e66037789e09 (diff) | |
[1.6.x] Prevented data leakage in contrib.admin via query string manipulation.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/exceptions.txt | 1 | ||||
| -rw-r--r-- | docs/releases/1.4.14.txt | 15 | ||||
| -rw-r--r-- | docs/releases/1.5.9.txt | 15 | ||||
| -rw-r--r-- | docs/releases/1.6.6.txt | 15 |
4 files changed, 46 insertions, 0 deletions
diff --git a/docs/ref/exceptions.txt b/docs/ref/exceptions.txt index 956ee5a188..13cbb342d0 100644 --- a/docs/ref/exceptions.txt +++ b/docs/ref/exceptions.txt @@ -56,6 +56,7 @@ SuspiciousOperation * DisallowedHost * DisallowedModelAdminLookup + * DisallowedModelAdminToField * DisallowedRedirect * InvalidSessionKey * SuspiciousFileOperation diff --git a/docs/releases/1.4.14.txt b/docs/releases/1.4.14.txt index 811c3f67ea..98de8b018e 100644 --- a/docs/releases/1.4.14.txt +++ b/docs/releases/1.4.14.txt @@ -47,3 +47,18 @@ and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between requests without an intervening logout could result in the prior user's session being co-opted by the subsequent user. The middleware now logs the user out on a failed login attempt. + +Data leakage via query string manipulation in ``contrib.admin`` +=============================================================== + +In older versions of Django it was possible to reveal any field's data by +modifying the "popup" and "to_field" parameters of the query string on an admin +change form page. For example, requesting a URL like +``/admin/auth/user/?pop=1&t=password`` and viewing the page's HTML allowed +viewing the password hash of each user. While the admin requires users to have +permissions to view the change form pages in the first place, this could leak +data if you rely on users having access to view only certain fields on a model. + +To address the issue, an exception will now be raised if a ``to_field`` value +that isn't a related field to a model that has been registered with the admin +is specified. diff --git a/docs/releases/1.5.9.txt b/docs/releases/1.5.9.txt index 5070f0eca1..5b91de0eb2 100644 --- a/docs/releases/1.5.9.txt +++ b/docs/releases/1.5.9.txt @@ -47,3 +47,18 @@ and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between requests without an intervening logout could result in the prior user's session being co-opted by the subsequent user. The middleware now logs the user out on a failed login attempt. + +Data leakage via query string manipulation in ``contrib.admin`` +=============================================================== + +In older versions of Django it was possible to reveal any field's data by +modifying the "popup" and "to_field" parameters of the query string on an admin +change form page. For example, requesting a URL like +``/admin/auth/user/?pop=1&t=password`` and viewing the page's HTML allowed +viewing the password hash of each user. While the admin requires users to have +permissions to view the change form pages in the first place, this could leak +data if you rely on users having access to view only certain fields on a model. + +To address the issue, an exception will now be raised if a ``to_field`` value +that isn't a related field to a model that has been registered with the admin +is specified. diff --git a/docs/releases/1.6.6.txt b/docs/releases/1.6.6.txt index e52ea6b23f..63a1537c97 100644 --- a/docs/releases/1.6.6.txt +++ b/docs/releases/1.6.6.txt @@ -48,6 +48,21 @@ requests without an intervening logout could result in the prior user's session being co-opted by the subsequent user. The middleware now logs the user out on a failed login attempt. +Data leakage via query string manipulation in ``contrib.admin`` +=============================================================== + +In older versions of Django it was possible to reveal any field's data by +modifying the "popup" and "to_field" parameters of the query string on an admin +change form page. For example, requesting a URL like +``/admin/auth/user/?_popup=1&t=password`` and viewing the page's HTML allowed +viewing the password hash of each user. While the admin requires users to have +permissions to view the change form pages in the first place, this could leak +data if you rely on users having access to view only certain fields on a model. + +To address the issue, an exception will now be raised if a ``to_field`` value +that isn't a related field to a model that has been registered with the admin +is specified. + Bugfixes ======== |
