Skip to content

0.27.1

Choose a tag to compare

View all tags
@aminalaee aminalaee released this 05 Jun 09:06
· 7 commits to main since this release
0.27.1
65b069a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security

ModelView.sort_query() did not check the attacker-controlled sortBy
query parameter against the configured column_sortable_list allow-list,
so a request could sort by any column of the model (including ones hidden
from column_list) and by related-model columns via a dotted path —
turning row order into an information-exposure ordering oracle. sortBy
is now rejected with HTTP 400 unless it is present in the configured
sortable columns.

Full Changelog: 0.27.0...0.27.1

Assets 2
Loading