summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorSimon Charette <charette.s@gmail.com>2014-08-07 00:18:10 -0400
committerTim Graham <timograham@gmail.com>2014-08-20 14:39:40 -0400
commit53ff0969822ac2248a89ccb6fef1088212dc800d (patch)
tree57564f5a5293329b156592b82e964f7c4929598b /tests
parent5307ce565fbedb9cc27cbe7c757b41a00438d37c (diff)
Prevented data leakage in contrib.admin via query string manipulation.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'tests')
-rw-r--r--tests/admin_views/tests.py36
1 files changed, 33 insertions, 3 deletions
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index adc49a5db0..60ad3d2b7b 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -18,6 +18,7 @@ from django.contrib.auth import get_permission_codename
from django.contrib.admin import ModelAdmin
from django.contrib.admin.helpers import ACTION_CHECKBOX_NAME
from django.contrib.admin.models import LogEntry, DELETION
+from django.contrib.admin.options import TO_FIELD_VAR
from django.contrib.admin.templatetags.admin_static import static
from django.contrib.admin.templatetags.admin_urls import add_preserved_filters
from django.contrib.admin.tests import AdminSeleniumWebDriverTestCase
@@ -598,6 +599,36 @@ class AdminViewBasicTest(AdminViewBasicTestCase):
response = self.client.get("/test_admin/admin/admin_views/workhour/?employee__person_ptr__exact=%d" % e1.pk)
self.assertEqual(response.status_code, 200)
+ def test_disallowed_to_field(self):
+ with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls:
+ response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'missing_field'})
+ self.assertEqual(response.status_code, 400)
+ self.assertEqual(len(calls), 1)
+
+ # Specifying a field that is not refered by any other model registered
+ # to this admin site should raise an exception.
+ with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls:
+ response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'name'})
+ self.assertEqual(response.status_code, 400)
+ self.assertEqual(len(calls), 1)
+
+ # Specifying a field referenced by another model should be allowed.
+ response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'id'})
+ self.assertEqual(response.status_code, 200)
+
+ # We also want to prevent the add and change view from leaking a
+ # disallowed field value.
+ with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls:
+ response = self.client.post("/test_admin/admin/admin_views/section/add/", {TO_FIELD_VAR: 'name'})
+ self.assertEqual(response.status_code, 400)
+ self.assertEqual(len(calls), 1)
+
+ section = Section.objects.create()
+ with patch_logger('django.security.DisallowedModelAdminToField', 'error') as calls:
+ response = self.client.post("/test_admin/admin/admin_views/section/%d/" % section.pk, {TO_FIELD_VAR: 'name'})
+ self.assertEqual(response.status_code, 400)
+ self.assertEqual(len(calls), 1)
+
def test_allowed_filtering_15103(self):
"""
Regressions test for ticket 15103 - filtering on fields defined in a
@@ -2378,10 +2409,9 @@ class AdminSearchTest(TestCase):
"""Ensure that the to_field GET parameter is preserved when a search
is performed. Refs #10918.
"""
- from django.contrib.admin.views.main import TO_FIELD_VAR
- response = self.client.get('/test_admin/admin/auth/user/?q=joe&%s=username' % TO_FIELD_VAR)
+ response = self.client.get('/test_admin/admin/auth/user/?q=joe&%s=id' % TO_FIELD_VAR)
self.assertContains(response, "\n1 user\n")
- self.assertContains(response, '<input type="hidden" name="_to_field" value="username"/>', html=True)
+ self.assertContains(response, '<input type="hidden" name="%s" value="id"/>' % TO_FIELD_VAR, html=True)
def test_exact_matches(self):
response = self.client.get('/test_admin/admin/admin_views/recommendation/?q=bar')