Commit 1966786d authored by Carl Meyer's avatar Carl Meyer
Browse files

[1.1.X] Fixed security issue in AdminFileWidget. Release and disclosure forthcoming. 

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15472 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 570a32a0

django/contrib/admin/widgets.py

+1 −1
Original line number Diff line number Diff line
@@ -93,7 +93,7 @@ class AdminFileWidget(forms.FileInput): 
        output = []

        if value and hasattr(value, "url"):

            output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \

                (_('Currently:'), value.url, value, _('Change:')))

                (_('Currently:'), escape(value.url), escape(value), _('Change:')))

        output.append(super(AdminFileWidget, self).render(name, value, attrs))

        return mark_safe(u''.join(output))

tests/regressiontests/admin_widgets/tests.py

+16 −0
Original line number Diff line number Diff line
@@ -154,3 +154,19 @@ class AdminForeignKeyRawIdWidget(DjangoTestCase): 
            post_data)

        self.assertContains(response,

            'Select a valid choice. That choice is not one of the available choices.')



class AdminFileWidgetTest(DjangoTestCase):

    def test_render_escapes_html(self):

        class StrangeFieldFile(object):

            url = "something?chapter=1&sect=2&copy=3&lang=en"



            def __unicode__(self):

                return u'''something<div onclick="alert('oops')">.jpg'''



        widget = widgets.AdminFileWidget()

        field = StrangeFieldFile()

        output = widget.render('myfile', field)

        self.assertFalse(field.url in output)

        self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)

        self.assertFalse(unicode(field) in output)

        self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)