Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Merge pull request #967 from jacobian/ticket/20078-admin-user-passwor…

…d-filtering

Fixed #20078: don't allow filtering on password in the user admin.
  • Loading branch information...
commit 95b88fd4ece30536f331f5bba483fe9d937a73ae 2 parents f6989e5 + 9e462f8
Jacob Kaplan-Moss authored
6  django/contrib/auth/admin.py
@@ -83,6 +83,12 @@ def get_urls(self):
83 83
              self.admin_site.admin_view(self.user_change_password))
84 84
         ) + super(UserAdmin, self).get_urls()
85 85
 
  86
+    def lookup_allowed(self, lookup, value):
  87
+        # See #20078: we don't want to allow any lookups involving passwords.
  88
+        if lookup.startswith('password'):
  89
+            return False
  90
+        return super(UserAdmin, self).lookup_allowed(lookup, value)
  91
+
86 92
     @sensitive_post_parameters()
87 93
     @csrf_protect_m
88 94
     @transaction.atomic
18  django/contrib/auth/tests/urls_admin.py
... ...
@@ -0,0 +1,18 @@
  1
+"""
  2
+Test URLs for auth admins.
  3
+"""
  4
+
  5
+from django.conf.urls import patterns, include
  6
+from django.contrib import admin
  7
+from django.contrib.auth.admin import UserAdmin, GroupAdmin
  8
+from django.contrib.auth.models import User, Group
  9
+from django.contrib.auth.urls import urlpatterns
  10
+
  11
+# Create a silo'd admin site for just the user/group admins.
  12
+site = admin.AdminSite(name='auth_test_admin')
  13
+site.register(User, UserAdmin)
  14
+site.register(Group, GroupAdmin)
  15
+
  16
+urlpatterns = urlpatterns + patterns('',
  17
+    (r'^admin/', include(site.urls)),
  18
+)
15  django/contrib/auth/tests/views.py
@@ -528,3 +528,18 @@ def test_security_check(self, password='password'):
528 528
             self.assertTrue(good_url in response.url,
529 529
                             "%s should be allowed" % good_url)
530 530
             self.confirm_logged_out()
  531
+
  532
+@skipIfCustomUser
  533
+class ChangelistTests(AuthViewsTestCase):
  534
+    urls = 'django.contrib.auth.tests.urls_admin'
  535
+
  536
+    # #20078 - users shouldn't be allowed to guess password hashes via
  537
+    # repeated password__startswith queries.
  538
+    def test_changelist_disallows_password_lookups(self):
  539
+        # Make me a superuser before loging in.
  540
+        User.objects.filter(username='testclient').update(is_staff=True, is_superuser=True)
  541
+        self.login()
  542
+
  543
+        # A lookup that tries to filter on password isn't OK
  544
+        with self.assertRaises(SuspiciousOperation):
  545
+            response = self.client.get('/admin/auth/user/?password__startswith=sha1$')

0 notes on commit 95b88fd

Please sign in to comment.
Something went wrong with that request. Please try again.