Loading docs/releases/1.7.6.txt +16 −2 Original line number Diff line number Diff line Loading @@ -2,9 +2,23 @@ Django 1.7.6 release notes ========================== *Under Development* *March 9, 2015* Django 1.7.6 fixes several bugs in 1.7.5. Django 1.7.6 fixes a security issue and several bugs in 1.7.5. Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields`` ======================================================================== The :attr:`ModelAdmin.readonly_fields <django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django admin allows displaying model fields and model attributes. While the former were correctly escaped, the latter were not. Thus untrusted content could be injected into the admin, presenting an exploitation vector for XSS attacks. In this vulnerability, every model attribute used in ``readonly_fields`` that is not an actual model field (e.g. a :class:`property`) will **fail to be escaped** even if that attribute is not marked as safe. In this release, autoescaping is now correctly applied. Bugfixes ======== Loading tests/admin_views/admin.py +1 −1 Original line number Diff line number Diff line Loading @@ -870,7 +870,7 @@ site = admin.AdminSite(name="admin") site.site_url = '/my-site-url/' site.register(Article, ArticleAdmin) site.register(CustomArticle, CustomArticleAdmin) site.register(Section, save_as=True, inlines=[ArticleInline]) site.register(Section, save_as=True, inlines=[ArticleInline], readonly_fields=['name_property']) site.register(ModelWithStringPrimaryKey) site.register(Color) site.register(Thing, ThingAdmin) Loading tests/admin_views/models.py +7 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,13 @@ class Section(models.Model): """ name = models.CharField(max_length=100) @property def name_property(self): """ A property that simply returns the name. Used to test #24461 """ return self.name @python_2_unicode_compatible class Article(models.Model): Loading tests/admin_views/tests.py +9 −0 Original line number Diff line number Diff line Loading @@ -4644,6 +4644,15 @@ class ReadonlyTest(TestCase): self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True) self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)") def test_correct_autoescaping(self): """ Make sure that non-field readonly elements are properly autoescaped (#24461) """ section = Section.objects.create(name='<a>evil</a>') response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,))) self.assertNotContains(response, "<a>evil</a>", status_code=200) self.assertContains(response, "<a>evil</a>", status_code=200) @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher'], ROOT_URLCONF="admin_views.urls") Loading Loading
docs/releases/1.7.6.txt +16 −2 Original line number Diff line number Diff line Loading @@ -2,9 +2,23 @@ Django 1.7.6 release notes ========================== *Under Development* *March 9, 2015* Django 1.7.6 fixes several bugs in 1.7.5. Django 1.7.6 fixes a security issue and several bugs in 1.7.5. Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields`` ======================================================================== The :attr:`ModelAdmin.readonly_fields <django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django admin allows displaying model fields and model attributes. While the former were correctly escaped, the latter were not. Thus untrusted content could be injected into the admin, presenting an exploitation vector for XSS attacks. In this vulnerability, every model attribute used in ``readonly_fields`` that is not an actual model field (e.g. a :class:`property`) will **fail to be escaped** even if that attribute is not marked as safe. In this release, autoescaping is now correctly applied. Bugfixes ======== Loading
tests/admin_views/admin.py +1 −1 Original line number Diff line number Diff line Loading @@ -870,7 +870,7 @@ site = admin.AdminSite(name="admin") site.site_url = '/my-site-url/' site.register(Article, ArticleAdmin) site.register(CustomArticle, CustomArticleAdmin) site.register(Section, save_as=True, inlines=[ArticleInline]) site.register(Section, save_as=True, inlines=[ArticleInline], readonly_fields=['name_property']) site.register(ModelWithStringPrimaryKey) site.register(Color) site.register(Thing, ThingAdmin) Loading
tests/admin_views/models.py +7 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,13 @@ class Section(models.Model): """ name = models.CharField(max_length=100) @property def name_property(self): """ A property that simply returns the name. Used to test #24461 """ return self.name @python_2_unicode_compatible class Article(models.Model): Loading
tests/admin_views/tests.py +9 −0 Original line number Diff line number Diff line Loading @@ -4644,6 +4644,15 @@ class ReadonlyTest(TestCase): self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True) self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)") def test_correct_autoescaping(self): """ Make sure that non-field readonly elements are properly autoescaped (#24461) """ section = Section.objects.create(name='<a>evil</a>') response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,))) self.assertNotContains(response, "<a>evil</a>", status_code=200) self.assertContains(response, "<a>evil</a>", status_code=200) @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher'], ROOT_URLCONF="admin_views.urls") Loading
