Setting to disable raw_command

Question

Setting to disable raw_command

LaurensBosscher opened this issue 7 years ago · 5 comments

LaurensBosscher commented 7 years ago

Hi!

In case less trusted parties have access to the Django Admin the 'raw_command' option is a huge vulnerability.

Would you accept a pull-request that allows this option to be disabled through the Django settings?

Answer 1 · 2017-10-30T17:46:47.000Z

Sure, that seems reasonable.

Answer 2 · 2017-10-30T18:09:46.000Z

would it be possible to make a multiple step activation? Or a mandatory admin notification in case a new raw_command task is created or modified...

Answer 3 · 2017-10-30T18:26:22.000Z

Just about anything's possible, but I'd imagine that would require more work and probably an additional model. Since it's likely you're the only one that would use it, I'd recommend against over complicating it.

Answer 4 · 2017-10-31T08:56:49.000Z

@diegofcoelho

For our use case simple disabling it would be enough but I reckon it would be easy to extend on that after the pull request if you would like to have that functionality.

I'll try to start working on that this weekend, I hope to have a pull request by monday.

Answer 5 · 2017-11-12T19:22:59.000Z

Just a quick update, I've a branch with the changes. We'll test it in one of our projects next week and do an internal security review before submitting it as a pull-request.

I've decided to minimize the changes to the core code, so the diff is very readable. If someone is interested please take a look here: master...LaurensBosscher:DISABLE_RAW_COMMAND