mirror of
https://github.com/django/django.git
synced 2025-07-24 13:44:32 +00:00
Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin.
Thank you to Shen Ying for reporting this issue.
This commit is contained in:
Carlton Gibson
parent
39e39d0ac1
commit
11c5e0609b
10 changed files with 216 additions and 87 deletions
|
|
@ -4,7 +4,46 @@ Django 2.1.15 release notes
|
|||
|
||||
*Expected December 2, 2019*
|
||||
|
||||
Django 2.1.15 fixes a data loss bug in 2.1.14.
|
||||
Django 2.1.15 fixes a security issue and a data loss bug in 2.1.14.
|
||||
|
||||
CVE-2019-19118: Privilege escalation in the Django admin.
|
||||
=========================================================
|
||||
|
||||
Since Django 2.1, a Django model admin displaying a parent model with related
|
||||
model inlines, where the user has view-only permissions to a parent model but
|
||||
edit permissions to the inline model, would display a read-only view of the
|
||||
parent model but editable forms for the inline.
|
||||
|
||||
Submitting these forms would not allow direct edits to the parent model, but
|
||||
would trigger the parent model's ``save()`` method, and cause pre and post-save
|
||||
signal handlers to be invoked. This is a privilege escalation as a user who
|
||||
lacks permission to edit a model should not be able to trigger its save-related
|
||||
signals.
|
||||
|
||||
To resolve this issue, the permission handling code of the Django admin
|
||||
interface has been changed. Now, if a user has only the "view" permission for a
|
||||
parent model, the entire displayed form will not be editable, even if the user
|
||||
has permission to edit models included in inlines.
|
||||
|
||||
This is a backwards-incompatible change, and the Django security team is aware
|
||||
that some users of Django were depending on the ability to allow editing of
|
||||
inlines in the admin form of an otherwise view-only parent model.
|
||||
|
||||
Given the complexity of the Django admin, and in-particular the permissions
|
||||
related checks, it is the view of the Django security team that this change was
|
||||
necessary: that it is not currently feasible to maintain the existing behavior
|
||||
whilst escaping the potential privilege escalation in a way that would avoid a
|
||||
recurrence of similar issues in the future, and that would be compatible with
|
||||
Django's *safe by default* philosophy.
|
||||
|
||||
For the time being, developers whose applications are affected by this change
|
||||
should replace the use of inlines in read-only parents with custom forms and
|
||||
views that explicitly implement the desired functionality. In the longer term,
|
||||
adding a documented, supported, and properly-tested mechanism for
|
||||
partially-editable multi-model forms to the admin interface may occur in Django
|
||||
itself.
|
||||
|
||||
Thank you to Shen Ying for reporting this issue.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
|
|
|||
|
|
@ -4,8 +4,47 @@ Django 2.2.8 release notes
|
|||
|
||||
*Expected December 2, 2019*
|
||||
|
||||
Django 2.2.8 fixes several bugs in 2.2.7 and adds compatibility with Python
|
||||
3.8.
|
||||
Django 2.2.8 fixes a security issue, several bugs in 2.2.7, and adds
|
||||
compatibility with Python 3.8.
|
||||
|
||||
CVE-2019-19118: Privilege escalation in the Django admin.
|
||||
=========================================================
|
||||
|
||||
Since Django 2.1, a Django model admin displaying a parent model with related
|
||||
model inlines, where the user has view-only permissions to a parent model but
|
||||
edit permissions to the inline model, would display a read-only view of the
|
||||
parent model but editable forms for the inline.
|
||||
|
||||
Submitting these forms would not allow direct edits to the parent model, but
|
||||
would trigger the parent model's ``save()`` method, and cause pre and post-save
|
||||
signal handlers to be invoked. This is a privilege escalation as a user who
|
||||
lacks permission to edit a model should not be able to trigger its save-related
|
||||
signals.
|
||||
|
||||
To resolve this issue, the permission handling code of the Django admin
|
||||
interface has been changed. Now, if a user has only the "view" permission for a
|
||||
parent model, the entire displayed form will not be editable, even if the user
|
||||
has permission to edit models included in inlines.
|
||||
|
||||
This is a backwards-incompatible change, and the Django security team is aware
|
||||
that some users of Django were depending on the ability to allow editing of
|
||||
inlines in the admin form of an otherwise view-only parent model.
|
||||
|
||||
Given the complexity of the Django admin, and in-particular the permissions
|
||||
related checks, it is the view of the Django security team that this change was
|
||||
necessary: that it is not currently feasible to maintain the existing behavior
|
||||
whilst escaping the potential privilege escalation in a way that would avoid a
|
||||
recurrence of similar issues in the future, and that would be compatible with
|
||||
Django's *safe by default* philosophy.
|
||||
|
||||
For the time being, developers whose applications are affected by this change
|
||||
should replace the use of inlines in read-only parents with custom forms and
|
||||
views that explicitly implement the desired functionality. In the longer term,
|
||||
adding a documented, supported, and properly-tested mechanism for
|
||||
partially-editable multi-model forms to the admin interface may occur in Django
|
||||
itself.
|
||||
|
||||
Thank you to Shen Ying for reporting this issue.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue