The Django project reports the following issue: "" Django's administrative interface, ``django.contrib.admin``, offers a feature whereby related objects can be displayed for selection in a popup window. The mechanism for this relies on placing values in the URL and querystring which specify the related model to display and the field through which the relationship is implemented. This mechanism does perform permission checks at the level of the model class as a whole. This mechanism did not, however, verify that the specified field actually represents a relationship between models. Thus a user with access to the admin interface, and with sufficient knowledge of model structure and the appropriate URLs, could constructed popup views which would display the values of non-relationship fields, including fields the application developer had not intended to expose in such a fashion. To remedy this, the admin interface will now, in addition to its normal permission checks, verify that the specified field does indeed represent a relationship, to a model registered with the admin, and will raise an exception if either condition is not true. "" This issue is due to be resolved in the upstream 1.4.14, 1.5.9, 1.6.6, and 1.7 release candidate 3 releases. Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue. Upstream acknowledges Collin Anderson as the original reporter.
Created attachment 926648 [details] 1.4 patch
Created attachment 926649 [details] 1.5 patch
Created attachment 926650 [details] 1.6 patch
External References: https://www.djangoproject.com/weblog/2014/aug/20/security/
Created Django14 tracking bugs for this issue: Affects: epel-6 [bug 1132776]
Created python-django15 tracking bugs for this issue: Affects: fedora-20 [bug 1132775] Affects: epel-6 [bug 1132777] Affects: epel-7 [bug 1132778]
Created python-django14 tracking bugs for this issue: Affects: fedora-all [bug 1132774]
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1132773]
python-django-1.6.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.14-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-django15-1.5.9-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Django14-1.4.14-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.16-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.16-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.