#34831: Search in admin could allow issuing a query with many OR'd clauses
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.admin | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Comment (by Natalia Bidart):
This was first reported as a security issue but the security team
concluded that this can be discussed and fixed in the open, given that the
user has to be already authenticated to issue the query (and the admin is
considered secured).
But, this issue could happen accidentally from legitimate users, so the
suggested fix is to limit the amount of terms that can OR'd in the
resulting query.
--
Ticket URL: <https://code.djangoproject.com/ticket/34831#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018a8991e0e5-31e8c0fe-598a-4276-b9c6-89435d3725bf-000000%40eu-central-1.amazonses.com.
