[1.4.x] Prevented data leakage in contrib.admin via query string manipulation.

This is a security fix. Disclosure following shortly.
author: Simon Charette <charette.s@gmail.com> 2014-08-11 15:36:16 -0400
committer: Tim Graham <timograham@gmail.com> 2014-08-11 16:01:41 -0400
commit: 027bd348642007617518379f8b02546abacaa6e0 (patch)
tree: 573f0e4f79c862f6f4983a0d0caab5b54facdf5a /django/contrib/admin/options.py
parent: c9e3b9949cd55f090591fbdc4a114fcb8368b6d9 (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py
index 78a08cd120..cf3497b93c 100644
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -269,6 +269,24 @@ class BaseModelAdmin(object):
         clean_lookup = LOOKUP_SEP.join(parts)
         return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy
 
+    def to_field_allowed(self, request, to_field):
+        opts = self.model._meta
+
+        try:
+            field = opts.get_field(to_field)
+        except FieldDoesNotExist:
+            return False
+
+        # Make sure at least one of the models registered for this site
+        # references this field.
+        registered_models = self.admin_site._registry
+        for related_object in opts.get_all_related_objects():
+            if (related_object.model in registered_models and
+                    field == related_object.field.rel.get_related_field()):
+                return True
+
+        return False
+
     def has_add_permission(self, request):
         """
         Returns True if the given request has permission to add an object.
author	Simon Charette <charette.s@gmail.com>	2014-08-11 15:36:16 -0400
committer	Tim Graham <timograham@gmail.com>	2014-08-11 16:01:41 -0400
commit	027bd348642007617518379f8b02546abacaa6e0 (patch)
tree	573f0e4f79c862f6f4983a0d0caab5b54facdf5a /django/contrib/admin/options.py
parent	c9e3b9949cd55f090591fbdc4a114fcb8368b6d9 (diff)