Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.2.X] Fixed #14999 -- Ensure that filters on local fields are allow…

…ed, and aren't caught as a security problem. Thanks to medhat for the report.

Backport of r15139 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15140 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit c76ab45fc650ac4fbcf2dba02231776d7b23f1e2 1 parent 9f49666
Russell Keith-Magee authored January 03, 2011
2  django/contrib/admin/options.py
@@ -206,6 +206,8 @@ def lookup_allowed(self, lookup):
206 206
             # later.
207 207
             return True
208 208
         else:
  209
+            if len(parts) == 1:
  210
+                return True
209 211
             clean_lookup = LOOKUP_SEP.join(parts)
210 212
             return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy
211 213
 
1  tests/regressiontests/admin_views/models.py
@@ -173,6 +173,7 @@ class Person(models.Model):
173 173
     )
174 174
     name = models.CharField(max_length=100)
175 175
     gender = models.IntegerField(choices=GENDER_CHOICES)
  176
+    age = models.IntegerField(default=21)
176 177
     alive = models.BooleanField()
177 178
 
178 179
     def __unicode__(self):
7  tests/regressiontests/admin_views/tests.py
@@ -306,6 +306,11 @@ def test_disallowed_filtering(self):
306 306
             self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
307 307
         )
308 308
 
  309
+        try:
  310
+            self.client.get("/test_admin/admin/admin_views/person/?age__gt=30")
  311
+        except SuspiciousOperation:
  312
+            self.fail("Filters should be allowed if they involve a local field without the need to whitelist them in list_filter or date_hierarchy.")
  313
+
309 314
 class SaveAsTests(TestCase):
310 315
     fixtures = ['admin-views-users.xml','admin-views-person.xml']
311 316
 
@@ -317,7 +322,7 @@ def tearDown(self):
317 322
 
318 323
     def test_save_as_duplication(self):
319 324
         """Ensure save as actually creates a new person"""
320  
-        post_data = {'_saveasnew':'', 'name':'John M', 'gender':1}
  325
+        post_data = {'_saveasnew':'', 'name':'John M', 'gender':1, 'age': 42}
321 326
         response = self.client.post('/test_admin/admin/admin_views/person/1/', post_data)
322 327
         self.assertEqual(len(Person.objects.filter(name='John M')), 1)
323 328
         self.assertEqual(len(Person.objects.filter(id=1)), 1)

0 notes on commit c76ab45

Please sign in to comment.
Something went wrong with that request. Please try again.