Commit 9f6d50d0 authored by Carl Meyer's avatar Carl Meyer
Browse files

Fixed #15182 - Fixed a security issue with ClearableFileInput. Disclosure and... 

Fixed #15182 - Fixed a security issue with ClearableFileInput. Disclosure and new release forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15470 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 6ca7c9c4

django/forms/widgets.py

+4 −3
Original line number Diff line number Diff line
@@ -330,12 +330,13 @@ class ClearableFileInput(FileInput): 
        if value and hasattr(value, "url"):

            template = self.template_with_initial

            substitutions['initial'] = (u'<a href="%s">%s</a>'

                                        % (value.url, value))

                                        % (escape(value.url),

                                           escape(force_unicode(value))))

            if not self.is_required:

                checkbox_name = self.clear_checkbox_name(name)

                checkbox_id = self.clear_checkbox_id(checkbox_name)

                substitutions['clear_checkbox_name'] = checkbox_name

                substitutions['clear_checkbox_id'] = checkbox_id

                substitutions['clear_checkbox_name'] = conditional_escape(checkbox_name)

                substitutions['clear_checkbox_id'] = conditional_escape(checkbox_id)

                substitutions['clear'] = CheckboxInput().render(checkbox_name, False, attrs={'id': checkbox_id})

                substitutions['clear_template'] = self.template_with_clear % substitutions

tests/regressiontests/forms/tests/widgets.py

+22 −0
Original line number Diff line number Diff line
@@ -1086,6 +1086,28 @@ class ClearableFileInputTests(TestCase): 
        self.assertEqual(widget.render('myfile', FakeFieldFile()),

                         u'Currently: <a href="something">something</a> <input type="checkbox" name="myfile-clear" id="myfile-clear_id" /> <label for="myfile-clear_id">Clear</label><br />Change: <input type="file" name="myfile" />')



    def test_html_escaped(self):

        """

        A ClearableFileInput should escape name, filename and URL when

        rendering HTML. Refs #15182.

        """



        class StrangeFieldFile(object):

            url = "something?chapter=1&sect=2&copy=3&lang=en"



            def __unicode__(self):

                return u'''something<div onclick="alert('oops')">.jpg'''



        widget = ClearableFileInput()

        field = StrangeFieldFile()

        output = widget.render('my<div>file', field)

        self.assertFalse(field.url in output)

        self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)

        self.assertFalse(unicode(field) in output)

        self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)

        self.assertTrue(u'my&lt;div&gt;file' in output)

        self.assertFalse(u'my<div>file' in output)



    def test_clear_input_renders_only_if_not_required(self):

        """

        A ClearableFileInput with is_required=False does not render a clear