Infra/lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Prevent unintended access to sensitive fields (passwords, private keys) (#876)

Browse Source 
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.

The filter() function allowed guessing the content of password hashes
one character at a time.

The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
This commit is contained in:
Marti Raudsepp
2017-08-16 19:38:42 +03:00
committed by kevgliss
parent b40c6a1c67
commit cf805f530f
8 changed files with 51 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lemur/exceptions.py
View File

@ -29,7 +29,7 @@ class AttrNotFound(LemurException):
self.field = field
def __str__(self):
return repr("The field '{0}' is not sortable".format(self.field))
return repr("The field '{0}' is not sortable or filterable".format(self.field))
class InvalidConfiguration(Exception):