diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-11-25 15:23:52 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-12-02 08:57:44 +0100 |
| commit | 092cd66cf3c3e175acce698d6ca2012068d878fa (patch) | |
| tree | 7632a9bd92e8bdc07a6e2e082a895d6c7101e965 /docs/releases/2.1.15.txt | |
| parent | db0cc4ae96c4752d10d98a3c7f2c48f813bf8a7f (diff) | |
Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin.
Thank you to Shen Ying for reporting this issue.
Diffstat (limited to 'docs/releases/2.1.15.txt')
| -rw-r--r-- | docs/releases/2.1.15.txt | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/docs/releases/2.1.15.txt b/docs/releases/2.1.15.txt index 8d13bb281f..29764f986e 100644 --- a/docs/releases/2.1.15.txt +++ b/docs/releases/2.1.15.txt @@ -4,7 +4,46 @@ Django 2.1.15 release notes *Expected December 2, 2019* -Django 2.1.15 fixes a data loss bug in 2.1.14. +Django 2.1.15 fixes a security issue and a data loss bug in 2.1.14. + +CVE-2019-19118: Privilege escalation in the Django admin. +========================================================= + +Since Django 2.1, a Django model admin displaying a parent model with related +model inlines, where the user has view-only permissions to a parent model but +edit permissions to the inline model, would display a read-only view of the +parent model but editable forms for the inline. + +Submitting these forms would not allow direct edits to the parent model, but +would trigger the parent model's ``save()`` method, and cause pre and post-save +signal handlers to be invoked. This is a privilege escalation as a user who +lacks permission to edit a model should not be able to trigger its save-related +signals. + +To resolve this issue, the permission handling code of the Django admin +interface has been changed. Now, if a user has only the "view" permission for a +parent model, the entire displayed form will not be editable, even if the user +has permission to edit models included in inlines. + +This is a backwards-incompatible change, and the Django security team is aware +that some users of Django were depending on the ability to allow editing of +inlines in the admin form of an otherwise view-only parent model. + +Given the complexity of the Django admin, and in-particular the permissions +related checks, it is the view of the Django security team that this change was +necessary: that it is not currently feasible to maintain the existing behavior +whilst escaping the potential privilege escalation in a way that would avoid a +recurrence of similar issues in the future, and that would be compatible with +Django's *safe by default* philosophy. + +For the time being, developers whose applications are affected by this change +should replace the use of inlines in read-only parents with custom forms and +views that explicitly implement the desired functionality. In the longer term, +adding a documented, supported, and properly-tested mechanism for +partially-editable multi-model forms to the admin interface may occur in Django +itself. + +Thank you to Shen Ying for reporting this issue. Bugfixes ======== |