Re: [Django] #15103: Django 1.2.4 breaks limit_choices_to for raw_id_fields

Fri, 21 Jan 2011 23:00:19 -0800 

#15103: Django 1.2.4 breaks limit_choices_to for raw_id_fields
-------------------------------------------+--------------------------------
          Reporter:  natrius               |         Owner:  nobody             
               
            Status:  new                   |     Milestone:  1.3                
               
         Component:  django.contrib.admin  |       Version:  1.2                
               
        Resolution:                        |      Keywords:  blocker regression 
send_mail email
             Stage:  Accepted              |     Has_patch:  0                  
               
        Needs_docs:  0                     |   Needs_tests:  0                  
               
Needs_better_patch:  0                     |  
-------------------------------------------+--------------------------------
Comment (by russellm):

 lookup_internal was quite deliberately undocumented so that it wouldn't be
 official API, giving us the flexibility to change it if required. This was
 because #5833 (and at the time, #3400) is still lingering, and we didn't
 want to back ourself into a corner.

 It's unfortunate that people are externally documenting the "fix" for the
 security problem to be "remove the security", but there's not much we can
 do beyond documenting the change.

 That said, I'm not completely convinced a change in signature is required.
 The patch you provide certainly works, and the broad thrust seems correct
 to me. However, the original security issue was about allowing completely
 arbitrary join combinations -- the absence of any security checks meant
 you could set up a query to retrieve password details, or anything else of
 interest in the database.

 If you're defining limit_choices_to = {'leader__name="palin"'} , you're
 pretty much saying that it's ok to inspect the name field of the leader
 relation. Ok; this would allow you to find out the name of any leader in
 the system, but only by a process of elimination, and you would only find
 the leader's name, and only if you already had access to the admin.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/15103#comment:6>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to