~ubuntu-branches/ubuntu/lucid/python-django/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-0483-bug23431.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2014-09-10 13:07:32 UTC
  • Revision ID: package-import@ubuntu.com-20140910130732-ggo4hojqf9z22axy
Tags: 1.1.1-2ubuntu1.13
* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, added tests to
    tests/modeltests/files/models.py,
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added tests to
    tests/regressiontests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - CVE-2014-0483
* debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
Backport of:
 
2
 
 
3
From 065caafa70b6c422f73e364a4c241b6538969d7b Mon Sep 17 00:00:00 2001
 
4
From: Simon Charette <charette.s@gmail.com>
 
5
Date: Thu, 4 Sep 2014 17:04:53 -0400
 
6
Subject: [PATCH] [1.4.x] Fixed #23431 -- Allowed inline and hidden references
 
7
 to admin fields.
 
8
 
 
9
This fixes a regression introduced by the 53ff096982 security fix.
 
10
 
 
11
Thanks to @a1tus for the report and Tim for the review.
 
12
 
 
13
refs #23329.
 
14
 
 
15
Backport of 342ccbd from master
 
16
---
 
17
 django/contrib/admin/options.py             | 13 +++++++++++--
 
18
 docs/releases/1.4.16.txt                    | 13 +++++++++++++
 
19
 docs/releases/index.txt                     |  1 +
 
20
 tests/regressiontests/admin_views/admin.py  | 13 ++++++++++++-
 
21
 tests/regressiontests/admin_views/models.py | 12 ++++++++++++
 
22
 tests/regressiontests/admin_views/tests.py  |  7 ++++++-
 
23
 6 files changed, 55 insertions(+), 4 deletions(-)
 
24
 create mode 100644 docs/releases/1.4.16.txt
 
25
 
 
26
Index: python-django-1.1.1/django/contrib/admin/options.py
 
27
===================================================================
 
28
--- python-django-1.1.1.orig/django/contrib/admin/options.py    2014-09-10 14:49:03.902879759 -0400
 
29
+++ python-django-1.1.1/django/contrib/admin/options.py 2014-09-10 14:49:03.894879759 -0400
 
30
@@ -292,6 +292,10 @@
 
31
     media = property(_media)
 
32
 
 
33
     def to_field_allowed(self, request, to_field):
 
34
+        """
 
35
+        Returns True if the model associated with this admin should be
 
36
+        allowed to be referenced by the specified field.
 
37
+        """
 
38
         opts = self.model._meta
 
39
 
 
40
         try:
 
41
@@ -301,8 +305,13 @@
 
42
 
 
43
         # Make sure at least one of the models registered for this site
 
44
         # references this field through a FK or a M2M relationship.
 
45
-        registered_models = self.admin_site._registry
 
46
-        for related_object in (opts.get_all_related_objects() +
 
47
+        registered_models = set()
 
48
+        for model, admin in self.admin_site._registry.items():
 
49
+            registered_models.add(model)
 
50
+            for inline in admin.inlines:
 
51
+                registered_models.add(inline.model)
 
52
+
 
53
+        for related_object in (opts.get_all_related_objects() +
 
54
                                opts.get_all_related_many_to_many_objects()):
 
55
             related_model = related_object.model
 
56
             if (any(issubclass(model, related_model) for model in registered_models) and
 
57
Index: python-django-1.1.1/tests/regressiontests/admin_views/models.py
 
58
===================================================================
 
59
--- python-django-1.1.1.orig/tests/regressiontests/admin_views/models.py        2014-09-10 14:49:03.902879759 -0400
 
60
+++ python-django-1.1.1/tests/regressiontests/admin_views/models.py     2014-09-10 14:49:03.894879759 -0400
 
61
@@ -443,6 +443,26 @@
 
62
 class M2MReference(models.Model):
 
63
     ref = models.ManyToManyField('self')
 
64
 
 
65
+# Models for #23431
 
66
+class ReferencedByInline(models.Model):
 
67
+    pass
 
68
+
 
69
+
 
70
+class InlineReference(models.Model):
 
71
+    fk = models.ForeignKey(ReferencedByInline, related_name='hidden+')
 
72
+
 
73
+
 
74
+class InlineReferer(models.Model):
 
75
+    refs = models.ManyToManyField(InlineReference)
 
76
+
 
77
+class InlineReferenceInline(admin.TabularInline):
 
78
+    model = InlineReference
 
79
+
 
80
+
 
81
+class InlineRefererAdmin(admin.ModelAdmin):
 
82
+    inlines = [InlineReferenceInline]
 
83
+
 
84
+
 
85
 admin.site.register(Article, ArticleAdmin)
 
86
 admin.site.register(CustomArticle, CustomArticleAdmin)
 
87
 admin.site.register(Section, save_as=True, inlines=[ArticleInline])
 
88
@@ -469,6 +489,8 @@
 
89
 admin.site.register(ReferencedByParent)
 
90
 admin.site.register(ChildOfReferer)
 
91
 admin.site.register(M2MReference)
 
92
+admin.site.register(ReferencedByInline)
 
93
+admin.site.register(InlineReferer, InlineRefererAdmin)
 
94
 
 
95
 # We intentionally register Promo and ChapterXtra1 but not Chapter nor ChapterXtra2.
 
96
 # That way we cover all four cases:
 
97
Index: python-django-1.1.1/tests/regressiontests/admin_views/tests.py
 
98
===================================================================
 
99
--- python-django-1.1.1.orig/tests/regressiontests/admin_views/tests.py 2014-09-10 14:49:03.902879759 -0400
 
100
+++ python-django-1.1.1/tests/regressiontests/admin_views/tests.py      2014-09-10 14:49:51.582880029 -0400
 
101
@@ -263,11 +263,16 @@
 
102
         response = self.client.get("/test_admin/admin/admin_views/m2mreference/", {TO_FIELD_VAR: 'id'})
 
103
         self.assertEqual(response.status_code, 200)
 
104
 
 
105
-        # Specifying a field that is not refered by any other model directly registered
 
106
+        # #23329 - Specifying a field that is not refered by any other model directly registered
 
107
         # to this admin site but registered through inheritance should be allowed.
 
108
         response = self.client.get("/test_admin/admin/admin_views/referencedbyparent/", {TO_FIELD_VAR: 'id'})
 
109
         self.assertEqual(response.status_code, 200)
 
110
 
 
111
+        # #23431 - Specifying a field that is only refered to by a inline of a registered
 
112
+        # model should be allowed.
 
113
+        response = self.client.get("/test_admin/admin/admin_views/referencedbyinline/", {TO_FIELD_VAR: 'id'})
 
114
+        self.assertEqual(response.status_code, 200)
 
115
+
 
116
 
 
117
 class SaveAsTests(TestCase):
 
118
     fixtures = ['admin-views-users.xml','admin-views-person.xml']