From 027bd348642007617518379f8b02546abacaa6e0 Mon Sep 17 00:00:00 2001 From: Simon Charette Date: Mon, 11 Aug 2014 15:36:16 -0400 Subject: [1.4.x] Prevented data leakage in contrib.admin via query string manipulation. This is a security fix. Disclosure following shortly. --- docs/releases/1.4.14.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'docs') diff --git a/docs/releases/1.4.14.txt b/docs/releases/1.4.14.txt index 811c3f67ea..98de8b018e 100644 --- a/docs/releases/1.4.14.txt +++ b/docs/releases/1.4.14.txt @@ -47,3 +47,18 @@ and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between requests without an intervening logout could result in the prior user's session being co-opted by the subsequent user. The middleware now logs the user out on a failed login attempt. + +Data leakage via query string manipulation in ``contrib.admin`` +=============================================================== + +In older versions of Django it was possible to reveal any field's data by +modifying the "popup" and "to_field" parameters of the query string on an admin +change form page. For example, requesting a URL like +``/admin/auth/user/?pop=1&t=password`` and viewing the page's HTML allowed +viewing the password hash of each user. While the admin requires users to have +permissions to view the change form pages in the first place, this could leak +data if you rely on users having access to view only certain fields on a model. + +To address the issue, an exception will now be raised if a ``to_field`` value +that isn't a related field to a model that has been registered with the admin +is specified. -- cgit v1.3