~ubuntu-branches/ubuntu/lucid/python-django/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-0483-bug23329.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2014-09-10 13:07:32 UTC
  • Revision ID: package-import@ubuntu.com-20140910130732-ggo4hojqf9z22axy
Tags: 1.1.1-2ubuntu1.13
* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, added tests to
    tests/modeltests/files/models.py,
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added tests to
    tests/regressiontests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - CVE-2014-0483
* debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
Backport of:
 
2
 
 
3
From 4685026840f0e2b895f980b6a33ad1b282aa7852 Mon Sep 17 00:00:00 2001
 
4
From: Simon Charette <charette.s@gmail.com>
 
5
Date: Thu, 21 Aug 2014 11:55:23 -0400
 
6
Subject: [PATCH] [1.4.x] Fixed #23329 -- Allowed inherited and m2m fields to
 
7
 be referenced in the admin.
 
8
 
 
9
Thanks to Trac alias Markush2010 and ross for the detailed reports.
 
10
 
 
11
Backport of 3cbb759 from master
 
12
---
 
13
 django/contrib/admin/options.py             | 10 ++++++----
 
14
 docs/releases/1.4.15.txt                    | 13 +++++++++++++
 
15
 docs/releases/index.txt                     |  1 +
 
16
 tests/regressiontests/admin_views/admin.py  |  5 ++++-
 
17
 tests/regressiontests/admin_views/models.py | 18 ++++++++++++++++++
 
18
 tests/regressiontests/admin_views/tests.py  |  9 +++++++++
 
19
 6 files changed, 51 insertions(+), 5 deletions(-)
 
20
 create mode 100644 docs/releases/1.4.15.txt
 
21
 
 
22
Index: python-django-1.1.1/django/contrib/admin/options.py
 
23
===================================================================
 
24
--- python-django-1.1.1.orig/django/contrib/admin/options.py    2014-09-10 14:46:56.858879042 -0400
 
25
+++ python-django-1.1.1/django/contrib/admin/options.py 2014-09-10 14:46:56.850879042 -0400
 
26
@@ -300,11 +300,13 @@
 
27
             return False
 
28
 
 
29
         # Make sure at least one of the models registered for this site
 
30
-        # references this field.
 
31
+        # references this field through a FK or a M2M relationship.
 
32
         registered_models = self.admin_site._registry
 
33
-        for related_object in opts.get_all_related_objects():
 
34
-            if (related_object.model in registered_models and
 
35
-                    field == related_object.field.rel.get_related_field()):
 
36
+        for related_object in (opts.get_all_related_objects() +
 
37
+                               opts.get_all_related_many_to_many_objects()):
 
38
+            related_model = related_object.model
 
39
+            if (any(issubclass(model, related_model) for model in registered_models) and
 
40
+                    related_object.field.rel.get_related_field() == field):
 
41
                 return True
 
42
 
 
43
         return False
 
44
Index: python-django-1.1.1/tests/regressiontests/admin_views/models.py
 
45
===================================================================
 
46
--- python-django-1.1.1.orig/tests/regressiontests/admin_views/models.py        2014-09-10 14:46:56.858879042 -0400
 
47
+++ python-django-1.1.1/tests/regressiontests/admin_views/models.py     2014-09-10 14:47:29.134879225 -0400
 
48
@@ -427,6 +427,22 @@
 
49
 class CollectorAdmin(admin.ModelAdmin):
 
50
     inlines = [WidgetInline, DooHickeyInline, GrommetInline, WhatsitInline, FancyDoodadInline, CategoryInline]
 
51
 
 
52
+# Models for #23329
 
53
+class ReferencedByParent(models.Model):
 
54
+    pass
 
55
+
 
56
+
 
57
+class ParentWithFK(models.Model):
 
58
+    fk = models.ForeignKey(ReferencedByParent)
 
59
+
 
60
+
 
61
+class ChildOfReferer(ParentWithFK):
 
62
+    pass
 
63
+
 
64
+
 
65
+class M2MReference(models.Model):
 
66
+    ref = models.ManyToManyField('self')
 
67
+
 
68
 admin.site.register(Article, ArticleAdmin)
 
69
 admin.site.register(CustomArticle, CustomArticleAdmin)
 
70
 admin.site.register(Section, save_as=True, inlines=[ArticleInline])
 
71
@@ -450,6 +466,9 @@
 
72
 admin.site.register(Recommender)
 
73
 admin.site.register(Collector, CollectorAdmin)
 
74
 admin.site.register(Category, CategoryAdmin)
 
75
+admin.site.register(ReferencedByParent)
 
76
+admin.site.register(ChildOfReferer)
 
77
+admin.site.register(M2MReference)
 
78
 
 
79
 # We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2.
 
80
 # That way we cover all four cases:
 
81
Index: python-django-1.1.1/tests/regressiontests/admin_views/tests.py
 
82
===================================================================
 
83
--- python-django-1.1.1.orig/tests/regressiontests/admin_views/tests.py 2014-09-10 14:46:56.858879042 -0400
 
84
+++ python-django-1.1.1/tests/regressiontests/admin_views/tests.py      2014-09-10 14:48:19.918879511 -0400
 
85
@@ -259,6 +259,15 @@
 
86
         response = self.client.get("/test_admin/admin/admin_views/section/", {TO_FIELD_VAR: 'id'})
 
87
         self.assertEqual(response.status_code, 200)
 
88
 
 
89
+        # Specifying a field referenced by another model though a m2m should be allowed.
 
90
+        response = self.client.get("/test_admin/admin/admin_views/m2mreference/", {TO_FIELD_VAR: 'id'})
 
91
+        self.assertEqual(response.status_code, 200)
 
92
+
 
93
+        # Specifying a field that is not refered by any other model directly registered
 
94
+        # to this admin site but registered through inheritance should be allowed.
 
95
+        response = self.client.get("/test_admin/admin/admin_views/referencedbyparent/", {TO_FIELD_VAR: 'id'})
 
96
+        self.assertEqual(response.status_code, 200)
 
97
+
 
98
 
 
99
 class SaveAsTests(TestCase):
 
100
     fixtures = ['admin-views-users.xml','admin-views-person.xml']