[1.1.X] Fix a security issue in the admin. Disclosure and new release forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15035 bcc190cf-cafb-0310-a4f2-bffc1f526a37
author: Alex Gaynor <alex.gaynor@gmail.com> 2010-12-23 03:47:38 +0000
committer: Alex Gaynor <alex.gaynor@gmail.com> 2010-12-23 03:47:38 +0000
commit: 17084839fd7e267da5729f2a27753322b9d415a0 (patch)
tree: 99ae9f6a7c7d05db16e07b1b0513265133f550dd /django/contrib/admin/options.py
parent: 934dc9e71212ca4e73ea9af956ef120b411dc8ef (diff)
1 files changed, 27 insertions, 1 deletions
diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py
index 7cd2476efb..3ed8b18c6b 100644
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -8,7 +8,9 @@ from django.contrib.admin import helpers
 from django.contrib.admin.util import unquote, flatten_fieldsets, get_deleted_objects, model_ngettext, model_format_dict
 from django.core.exceptions import PermissionDenied, ValidationError
 from django.db import models, transaction
-from django.db.models.fields import BLANK_CHOICE_DASH
+from django.db.models.related import RelatedObject
+from django.db.models.fields import BLANK_CHOICE_DASH, FieldDoesNotExist
+from django.db.models.sql.constants import LOOKUP_SEP, QUERY_TERMS
 from django.http import Http404, HttpResponse, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, render_to_response
 from django.utils.datastructures import SortedDict
@@ -171,6 +173,30 @@ class BaseModelAdmin(object):
         return None
     declared_fieldsets = property(_declared_fieldsets)
 
+    def lookup_allowed(self, lookup):
+        parts = lookup.split(LOOKUP_SEP)
+
+        # Last term in lookup is a query term (__exact, __startswith etc)
+        # This term can be ignored.
+        if len(parts) > 1 and parts[-1] in QUERY_TERMS:
+            parts.pop()
+
+        # Special case -- foo__id__exact and foo__id queries are implied
+        # if foo has been specificially included in the lookup list; so
+        # drop __id if it is the last part.
+        if len(parts) > 1 and parts[-1] == self.model._meta.pk.name:
+            parts.pop()
+
+        try:
+            self.model._meta.get_field_by_name(parts[0])
+        except FieldDoesNotExist:
+            # Lookups on non-existants fields are ok, since they're ignored
+            # later.
+            return True
+        else:
+            clean_lookup = LOOKUP_SEP.join(parts)
+            return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy
+
 class ModelAdmin(BaseModelAdmin):
     "Encapsulates all admin options and functionality for a given model."
author	Alex Gaynor <alex.gaynor@gmail.com>	2010-12-23 03:47:38 +0000
committer	Alex Gaynor <alex.gaynor@gmail.com>	2010-12-23 03:47:38 +0000
commit	17084839fd7e267da5729f2a27753322b9d415a0 (patch)
tree	99ae9f6a7c7d05db16e07b1b0513265133f550dd /django/contrib/admin/options.py
parent	934dc9e71212ca4e73ea9af956ef120b411dc8ef (diff)