Re: [Django] #33844: Possible regression with 3.2.10 and admin.ModelAdmin.change_view()

[Django]

#33844: Possible regression with 3.2.10 and admin.ModelAdmin.change_view()
-------------------------------------+-------------------------------------
     Reporter:  mike dewhirst        |                    Owner:  nobody
         Type:  Uncategorized        |                   Status:  closed
    Component:  Uncategorized        |                  Version:  4.0
     Severity:  Normal               |               Resolution:  needsinfo
     Keywords:  stripe admin         |             Triage Stage:
  change_view                        |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Carlton Gibson):

 * status:  new => closed
 * resolution:   => needsinfo


Comment:

 This is almostly certainly a consequence of
 333c65603032c377e682cdbd7388657a5463a05a for CVE-2021-44420.

 Your URL patterns end with `$` so they'll be matches against a
 `fullmatch()` rather than a `search()`.

 How exactly that's leading to the error is hard to see — Whilst you've
 given a sample project, there's too much noise in it to with all the
 Stripe code (which isn't runnable as provided) to spot what's going in in
 Django.

 Steps forward would be to isolate the Django code, and show how the value
 is coming up. (Can you add a test case to the test.py that fails, so
 giving a traceback, but doesn't involve hitting the Stripe API?)

 > `/admin/polls/question/1/change/payment/change/`

 Where exactly is that URL being generated? The `1` is correct but then
 it's getting the extra `payment/change/` added on.

 Almost certainly, the change is behaviour is just a consequence of the
 security fix, so not something we'd revert. But that it's causing an issue
 for you implies an issue in your code to address.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33844#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070181fd0ce1df-40d6cd72-7fe0-43ba-a5e9-29e0fe0512f7-000000%40eu-central-1.amazonses.com.